Known Participant

Question

recordID= url protection (php / Mysql)

Forum|Forum|14 years ago
June 24, 2011
1 reply
1678 views

(I'm using Php / MySql / DWCS3)

My website allows clients to log in with their own username and password to view their personal records - and NOT anyone else's.

I achieved ths buy creating a query in MySql and using it as a recordset in Dreamweaver.

This works fine, but I found out that you can log in as 'Client A' and see all your records, but you can manually edit the recordID number in the URL to see other clients records!

How can I prevent users from editing the URL?

Can I encrypt it perhaps?

Thanks!

Server side applications

This topic has been closed for replies.

B

Ben M

Inspiring

If you are using page.php?clientid=123 to log your clients in you are seeing the most basic form of injection. Basically your code is not checking for what that variable is and is not verifying it against anything. Thus, your site is not secure at all. The answer here is not really encryption. You encrypt data you do not want to be read, but if someone can enter in another into the clientid they can do just about anything with your site.

What we need to re-examine is the login flow that you have planned. If you are on a tight deadline at this point I would recommend looking into CMS answers from the basic Wordpress and CMSMS to Drupal and ModX. If you are not on a tight deadline and have questions about programming this to work we can go from there, but I don't want to start typing out a long discussion if you are not looking to go in that direction.

W

Wookie1Author

Known Participant

Hi,

I'm not on a tight deadline and would like to get this working.

To start with, these are my database tables:

user_tbl

user_UID client_ID username password access_level

1 1 joe bloggs member

2 1 fred smith member

3 2 john edwards member

4 3 lee jones member

client_tbl

client_UID client_name

1 company A

2 company B

3 company C

install_tbl

Install_UID client_ID job_number site_name install_date

1 1 123456 London 2010-10-01

2 2 321456 Birmingham 2010-05-12

3 2 123145 Glasgow 2010-01-05

4 3 789745 Newcastle 2010-03-07

I have created and saved a query (qry_satnote) in phpmyadmin that filters the install records by client, and then matches up with the corresponding user.

So basically it does this:

'joe bloggs' sees install records from 'company A'

'fred smith' sees install records from 'company A'

'john edwards' sees install records from 'company B'

'lee jones' sees install records from 'company C'

----------------------------------------------------------------------------------------------------------------------------------------

Index.php

Users log in on this page via the 'log in user' server behaviour - validated using the 'username' and 'password' column from the 'user_tbl'

----------------------------------------------------------------------------------------------------------------------------------------

Every page from here has the ‘restrict access to page’ behaviour set to ‘member’

Sites_list.php

This is the landing page if login details are accepted.

This page displays a list of installs for this client. Each with a hyperlink to the detail page for the selected record - I've included the hyperlink next to each record for reference.

The data is brought through by a recordset using these settings:

Recordset name:

rsLatestProjects

SELECT *

FROM qry_satnote

WHERE username = colname

Name: colname

Type: text

Default value: -1

Run time value: $_SESSION['MM_Username']

Job number site name Details

123456 London view (search_results_detail.php?recordID=1)

321456 Birmingham view (search_results_detail.php?recordID=2)

123145 Glasgow view (search_results_detail.php?recordID=3)

789745 Newcastle view (search_results_detail.php?recordID=4)

The full code for the 'view' hyperlink is:

search_results_detail.php?recordID=<?php echo $row_rsLatestprojects['install_UID']; ?>

-------------------------------------------------------------------------------------------------------------------------------------

Search_results_detail.php

This page display the full details for the chosen record.

This is where the problem occurs as I can change the recordID= number in the url and see records for other clients.

Recordset name:

DetailRS1

SELECT *

FROM qry_satnote

WHERE install_UID = colname

Name: colname

Type: numeric

Default value: -1

Run time value: $_GET['recordID']

------------------------------------------------------------------------------------------------------------------------------------

I hope I’ve been clear in what I’ve written, if you need to see any code let me know.

Thanks very much for your help.

W

Wookie1Author

Known Participant

So in effect it'll be acting as a double authentication?

This is the sql statement for qry_satnote

SELECT user_tbl.user_UID, user_tbl.username, user_tbl.password, user_tbl.access_level, client_tbl.client_name, install_tbl. *
FROM client_tbl JOIN user_tbl JOIN install_tbl
ON client_tbl.client_UID = install_tbl.client_ID AND user_tbl.client_ID = install_tbl.client_ID

Sorry, I've made a correction to the sites list.php page, I didn't explain that the logged in user can only see a list of their sites and not anyone else's.....

So for example if John Edwards logs in, he can only see a list of his sites:

Job number site name Details

321456 Birmingham view (search_results_detail.php?recordID=2)

123145 Glasgow view (search_results_detail.php?recordID=3)

When clicking through to the search_results_detail.php page that is where I can change the recordID number to see other clients records.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded