Protect your delete.php links sended by email

Question

How to protect my delete.php files

$id = (int) $_GET['id'];
$delete = $connection->prepare("DELETE FROM `articles` WHERE `id` = :id");
$delete->execute(['id' => $id]);
if($delete->rowCount() > 0){
   echo 'SUCCESS';
}else{
   echo 'ERROR';
}

Lets say am logged in my website panal and my session is on

 $_SESSION['user_id'] = My_ID;

And some hacker send a link in my email while i am logged in

 <img src="http://my.website.com/panel/articles/delete.php?id=353">

That link is going to delete my article OR WORST a complete main section of my website and that is VERY DANGEROUS. So how can i secure my delete links from that

Generate temporary hash string that identificate email and user id. Place it in database. After getting deletion request, check if string exists in database. — German Lashevich, Jan 12 '17 at 12:01
Check this http://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php — Patryk Uszyński, Jan 12 '17 at 12:02
it seems you are calling delete.php from your ajax cal send one token from ajax with id. Validate the token and id then apply the delete operation — Nishant Nair, Jan 12 '17 at 12:03
Security Warning: md5(uniqid(rand(), TRUE)) is not a secure way to generate random numbers. — Abdalla Arbab, Jan 12 '17 at 12:15
You can always use RandomLib https://github.com/ircmaxell/RandomLib — Abdalla Arbab, Jan 12 '17 at 12:17

score 4 · Answer 1 · edited Oct 07 '21 at 08:57

4

This is a very good example, why it is stated in the HTTP RFC, that GET method should be used only to request the data, while for the data manipulation it's POST method should be used.

And to protect POST forms from this kind of fraud, a usual CSRF protection have to be used. In short, each form should be signed with a secret token, stored in the session as well. So a site will be able to verify, whether the form was issued by the engine.

An example can be found here, preventing csrf in php

edited Oct 07 '21 at 08:57

Community

1
1

answered Jan 12 '17 at 12:03

Your Common Sense

156,878
40
214
345

Hacker can provide some javascript, which make a POST request, hidden in the link – Michail M. Jan 12 '17 at 12:10

Michail M. · Accepted Answer · 2017-01-12T12:20:26.047

You can build two step confirm form
When user going to articles/delete.php?id=353, you just calculate some hash 'qweadasdasdqw' and provide link just like this articles/delete.php?id=353&hash=qweadasdasdqw

And just build some form with question 'Do you really want to delete article?' button 'yes' will provide user to url articles/delete.php?id=353&hash=qweadasdasdqw , button 'no' wil provide user to list of article.

so if hash is correct, you will be delete this article

Take a look on the code

$hash = isset($_GET['hash']) ? $_GET['hash'] : null;
$id = (int) $_GET['id'];
if (isset($hash) && (md5($id) == $hash)) { // Check hash
    $delete = $connection->prepare("DELETE FROM `users` WHERE `id` = :id");
    $delete->execute(['id' => $id]);
    if($delete->rowCount() > 0){
       echo 'SUCCESS';
    }else{
       echo 'ERROR';
    }
} else {
    $hash = md5($id); // Generate hash todo use more security function
    echo 'Do you really want to delete this article? <a href="http://my.website.com/panel/articles/delete.php?id=' . $id . '&hash=' . $hash .'">yes</a>';
}

https://i.imgsafe.org/775addadf1.png number can easily Decrypt you need to use php password_hash API http://php.net/manual/en/function.password-hash.php — Abdalla Arbab, Jan 12 '17 at 12:30

score 0 · Answer 3 · answered Jan 12 '17 at 12:50

You could do few things ,

Use post method for data manipulations instead of get.
You can also make use of tokens, make sure you ,regenerate your tokens
Don't just check if user is logged in but also make sure the logged in user has permission to delete / update that record .

Protect your delete.php links sended by email

3 Answers3