2

I'm wondering if $_POST & $_GET can have issues with security.

Let's say i have an AJAX code that sends the data to a PHP file with the following:

if(isset($_POST['id'])) {
  $client_id = mysql_real_escape_string($_POST['id']);
  $client_name = mysql_real_escape_string($_POST['name']);

    //Delete the Client
    $sql="DELETE FROM clients WHERE id='".$client_id."'";
    mysql_query($sql) or die(mysql_error());

    //Client Pages Delete
    $sql="DELETE FROM fanpages WHERE client='".$client_name."'";
    mysql_query($sql) or die(mysql_error());

Now let's say the PHP file name is delete.php any user can just write something like delete.php?id=423&name=Jack and it will shout the query and delete the client?

I was thinking about adding a COOKIE check at the beginning but as far as i know COOKIE's can be faked as well, am i right?

So what is the solution for making safe $_POST & $_GET requests with the combination of DB quires?

EDIT: All this happens inside of a user-password secured area but I'm asking about the sole delete.php file, do i need to add a COOKIE check to this file as well?

EDIT2: The script is working with COOKIE's not SESSIONS, should i add SESSIONS to the system as well? is it necessary to have cookies and session on the same system?

Ricardo
  • 1,653
  • 8
  • 26
  • 51
  • You have to make some sort of authentication. If you don't have this, anyone can simply type the url (like you said) and execute the changes. You should have some code, session, password-something on your site. This will increase security. – OptimusCrime Nov 28 '11 at 08:01
  • You can easily create your own get and posts. It's not hard to modify a post, but it's obviously a lot harder than using get. PDOs can stop SQL injection, but you will still need to check if a user is authorized to do certain queries. So in your case, you need to see if the user can actually run that query. – Matt Nov 28 '11 at 08:03
  • You need to add a session check in each file that needs to be secured. – Ben Lee Nov 28 '11 at 08:07
  • When you say, "All this happens inside of a user-password secured area" what exactly do you mean? Sessions are really the only way for this to be implemented. – Ben Lee Nov 28 '11 at 08:07
  • 1
    No. you don't need sessions and cookies together. Just make sure the cookie you create for logged-in users exists there before deleting him. Logically, non-logged-in people can't use your `delete.php` if it only allows the user himself delete her profile. – Hossein Nov 28 '11 at 08:08
  • @Hossein - So i will basically create an `if` to check if `empty($_COOKIE["u_name"])` and it should help? I heard that cookie's can be faked, is it true? – Ricardo Nov 28 '11 at 08:12
  • 2
    Both cookies and sessions have their own vulnerabilities. This is a wide discussion. In your case, if one manages to find out the format of your cookies, he can create a fake cookie on his system to pretend he is another user logged-in: One of the ways to avoid this is to assign a private hash number to each user and save it in his cookie. Other people won't know that number and can't fakely log-in as him... There is much discussion about this. Search the web for more info. – Hossein Nov 28 '11 at 08:18
  • Check session on top $_SESSION['admin'] – Mohit Bumb Nov 28 '11 at 10:46

3 Answers3

2

The trick is to properly escape data and prevent SQL injections. If it comes to deleting a user and you want to be extra safe, you could require a login or something too.

session_start();

// ...

if (true === $_SESSION['userLoggedIn']) {
    // your code
}

Of course, this would require you to create some sort of authentication procedure after a login form is submitted. (e.g. querying a MySQL database and testing the username and password against a table of users)

Here is a great example!

Community
  • 1
  • 1
Yes Barry
  • 9,514
  • 5
  • 50
  • 69
  • Please see EDIT2. Will it be safe with COOKIE's too or i will to make a SESSION authorization as well? – Ricardo Nov 28 '11 at 08:07
  • You could use a cookie too if you really _want_ to. The authentication process would be almost the same, just that you wouldn't need `session_start()` anymore and you would use `setcookie()` after user is authenticated instead of setting a value in `$_SESSION`.. – Yes Barry Nov 28 '11 at 08:10
  • I heard that COOKIE's can be faked is it true? – Ricardo Nov 28 '11 at 08:11
  • Yes that's true. Easily in fact. Also, beware of session hijacking and things like that. For added security you could use secure sessions and HTTPS. – Yes Barry Nov 28 '11 at 08:13
1

You should allow only logged in clients to issue a sensative request like that. Use sessions In the beginning of file you'll do session_start();

then you'll check $_SESSION["username"] if it is empty then you won't delete it but if a username is there (which you'll set on login) then you'll verify if the user has the privilege to do the operation.

Muhammad Hasan Khan
  • 34,648
  • 16
  • 88
  • 131
  • The script is working with COOKIE's not SESSIONS, should i add SESSIONS to the system as well? is it necessary to have cookies and session on the same system? – Ricardo Nov 28 '11 at 08:04
  • 1
    With session the actual data remains on server (only session id is in cookie) and can't be faked but with cookie data will be saved on client machine which can be faked. – Muhammad Hasan Khan Nov 28 '11 at 08:27
1

This thread is targetted towards sessions, but I bet your cookies aren't safe as is right now. It's super easy to steal cookies. You should do sessions, but you need to make sure your session path is private and that you aren't letting people hijack your session, etc.

PHP Session Security

Community
  • 1
  • 1
phpmeh
  • 1,752
  • 2
  • 22
  • 41