-1

I have started studying PHP, and there is this one question that I don't seem to understand.

For eg. I have a PHP script at a URL: http://example.com/Test.php

If this script has a query that expects a parameter from the user (from a GET) then I could easily execute it like this:

http://example.com/Test.php?uid=2

where the query could be a

SELECT * FROM USERS WHERE UID = 2

Now I read that if I want to get sensitive information/upload to server I should use POST, but even if I use POST, I could still do the same in Postman with the parameters, and the query still executes.

I read about SQL injections and found that PDO is useful because it sends the query separately from the data to the server.

I have rewritten the first query with PDO, but I can still execute it with URL saying http://example.com/Test.php?uid=2. What am I doing wrong here? Am I misunderstanding something?

Questions:

  • Is having public access to the scripts normal? Because it seems very unsecure to me.
  • How is POST safer than GET when I can reproduce the same behavior in Postman?
  • Why can I still run my code with PDO's with entering parameters in the URL? Isn't the point that we send them separately to the server, and there it gets executed?
Gábor Micskó
  • 79
  • 11
  • Is `2` a security-related secret? Why? – deceze Aug 30 '18 at 12:33
  • 2
    And no, PDO doesn't know what you *mean*. It can protect you from SQL injection, that's part of its job. It doesn't know where a value comes from or whether `2` is supposed to be secret or whatnot. – deceze Aug 30 '18 at 12:34
  • 1
    Too much to go through. Avoid asking multiple questions. It sounds like you need a mentor or teacher. – Devon Bessemer Aug 30 '18 at 12:34

1 Answers1

2

Now I read that if I want to get sensitive information/upload to server I should use POST

Forget sensitive. There is practically nothing security related in your choice of HTTP methods. The only thing is that your log files might record query strings in GET requests.

See this answer for further reading.

Is having public access to the scripts normal?

Yes. The entire point of giving a script a public URL is to provide information in public.

Why can I still run my code with PDO's with entering parameters in the URL?

The point of parameterized queries is to prevent SQL injection, where special characters are added to the data so that a query other than the one you intended to run is run. See Bobby Tables for a more in-depth explanation.

If you don't want people to run your query at all, don't give it a public URL.

If you want to limit what values people can pass into it, then write code which limits those values.

This might involve logic like:

 If the user is not logged in:
      send them to the login page
 If the user does not own the comment they are trying to edit:
      throw an error message
 Otherwise:
      run the UPDATE query
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So how does inserting works then? I can't imagine it's really secure to have a website.com/register.php?name=xy&password=123, so that everyone who has the URL can insert stuff into the database? – Gábor Micskó Aug 30 '18 at 12:42
  • 2
    @GáborMicskó — You **want** people to insert data into the database. That's how they create an account. Security problems come about when people do things you don't want them to do. – Quentin Aug 30 '18 at 12:44
  • 1
    @Murilo — That doesn't help with the concern they raised. – Quentin Aug 30 '18 at 12:45
  • 2
    @Gábor Maybe a basic misunderstanding here is the role of the frontend vs. the backend… Your server is only responding to HTTP requests. Always. That's what it does. An HTTP request isn't "secure" or whatnot, an HTTP request just *is*. Anyone can send an HTTP request to your server containing any data at any time. It's up to your server/your code to decide whether a request is allowed/valid/sensical or not. Sending a request with information isn't an issue, your server acting on it is or isn't. – deceze Aug 30 '18 at 12:48
  • I think I understand now! Thank you fellas – Gábor Micskó Aug 30 '18 at 12:52