-3

What's the best way to secure a GET request or are there any, safer alternatives?

I'm using a couple of GET requests in my website to generate webpages dynamically and to delete records based on ID.

The last one worries me a bit, because people could just change the URL to whatever file they want to delete.

To have access to the delete-file they do need to login and have certain permissions, which will throw an error if they don't have sufficient permissions.

I came across a really old SO post, stating that you should use themysqli_real_escape_string function to make it at least more secure.

I also read about validation being really important, so I was thinking about checking whether the ID is an actual integer or not.

There's another post stating that hiding the request in the URL is basically useless, since the request will always be a part of the URL.

This is my delete-file, it uses two statements, one deletes the actual post, and the other one deletes the associated images with that post.

include('./utils/auth.php');

require('./utils/db.php');

$stmt_1 = $connect->prepare('DELETE FROM `dias` WHERE diaserie_id = ?');

if($stmt_1) {
    $id = $_GET['id'];
    $stmt_1->bind_param('i', $id);
    if($stmt_1->execute()) {
        // Als de afbeeldingen uit de database zijn, verwijder dan ook de serie zelf
        $stmt_2 = $connect->prepare('DELETE FROM `diaseries` WHERE diaserie_id = ?');
        if($stmt_2) {
            $stmt_2->bind_param('i', $id);
            if($stmt_2->execute()) {
                echo "Both the files and post have been deleted.";
            } else {
                echo "The files have been deleted, the post iself could not be deleted.";
            }
        }
    } else {
        echo "Files and post could not be deleted.";
    }
}
rpm192
  • 2,630
  • 3
  • 20
  • 38
  • first of all you can add an permission to users if they are allowed to delete files or not. if the permission is granted then, before deleting the files you must firstly get the file having the given id and check if the authenticated user owns that file.. – Mihai Matei May 18 '18 at 08:07
  • You are including an `auth.php` that does seem to imply that you need someone to be signed in in order to perform that action ? Do you also check if the signed in user is authorized to delete that specific file they requested? `$_GET` is not inherently less safe than other methods with the exception of the fact that it's visible on the browser bar so people standing behind you can read it. – apokryfos May 18 '18 at 08:08
  • "Secure" in what way? So users who aren't allowed to delete something can't delete something? That requires the server to check that permission before deleting, plain and simple (whatever your criterion is there we don't know). Also, don't use GET requests for deleting (or generally modifying any state). It's fine to use URL query parameters (`$_GET`), but the HTTP request method must be POST (or DELETE, in fact). Otherwise Google will empty your site just by crawling it (if you're also lacking permission checks…). – deceze May 18 '18 at 08:09
  • @deceze Do you have a link of a website that I could read about DELETE requests? – rpm192 May 18 '18 at 08:32
  • https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods – But in browsers, only GET are POST are usable from plain forms; for anything else you'll need Javascript. – deceze May 18 '18 at 08:34
  • Short answer? Don't do anything that changes the server's state in any meaningful way with HTTP GET! – GordonM May 18 '18 at 08:37

2 Answers2

0

Store images and associated files in database (MySQL) and allow only to delete from database which is related to same login credential.

You should not consider uploading images to the database instead you can store the name of the uploaded file in your database and then retrieve the file name and use it where ever you want to display the image.

HTML CODE:

<input type="file" name="imageUpload" id="imageUpload">

PHP CODE:

if(isset($_POST['submit'])) {

    //Process the image that is uploaded by the user

    $target_dir = "uploads/";
    $target_file = $target_dir . basename($_FILES["imageUpload"]["name"]);
    $uploadOk = 1;
    $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);

    if (move_uploaded_file($_FILES["imageUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["imageUpload"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }

    $image=basename( $_FILES["imageUpload"]["name"],".jpg"); // used to store the filename in a variable

    //storind the data in your database
    $query= "INSERT INTO items VALUES ('$id','$title','$description','$price','$value','$contact','$image')";
    mysql_query($query);

    require('heading.php');
    echo "Your add has been submited, you will be redirected to your account page in 3 seconds....";
    header( "Refresh:3; url=account.php", true, 303);
}

CODE TO DISPLAY IMAGE:

while($row = mysql_fetch_row($result)) {
    echo "<tr>";
    echo "<td><img src='uploads/$row[6].jpg' height='150px' width='300px'></td>";
    echo "</tr>\n";
}
Manav Akela
  • 166
  • 2
-2

If Your $_GET[] Request Is Not Secure: Just Do These Steps:

1)Lets Suppose Url = localhost/hungry.com?id=1

2)add ' in the end of url eg: localhost/hungry.com?id=1' If It Give Error Then Your $_GET[] Is insecure

3)lets suppose your get var is this: $piid=$_GET['piid']; Just Make This:

$piid=(int)($_GET['piid']); just add (int) and then

4)add ' in the end of url eg: localhost/hungry.com?id=1' You Will Get No error This Means Your $_GET[] Is Now Secure

Krishna Wadhwani
  • 123
  • 1
  • 10