Geek Answers Handbook

How to make $ _GET more secure?

I use the get method to perform some operation, for example, approve, markasspam, delete, for the comment system. I know that it is very unsafe to go this route, but I cannot help. because the reason for using the $ _GET method is to execute the operation inside the page itself using PHP_SELF, and FYI I use the post method, using the flag to perform the operation.

now in order to make it a bit safe, I want to randomize a number or generate a hash or something, and then compare it, get an identifier and perform an operation

my current code is a bit like this.

<?php if($approve == 1 ) { ?> <a href="<?php echo $_SERVER['PHP_SELF']."?approve=".$id; ?>">Unapprove</a> <?php } else { ?> <a href="<?php echo $_SERVER['PHP_SELF']."?unapprove=".$id; ?>">Approve</a> <?php } ?> | <a href="<?php echo $_SERVER['PHP_SELF']."?spam=".$id; ?>">Spam</a> | <a class="edit-comments" href="edit-comments.php?id=<?php echo $id; ?>">Edit</a> | <a href="<?php echo $_SERVER['PHP_SELF']."?delete=".$id; ?>">Delete</a>

and I perform the operation using this code.

 if(isset($_GET['approve'])) { $id = intval($_GET['approve']); $query = "UPDATE comments SET approve = '0' WHERE id = '$id'"; $result = mysql_query($query); } if(isset($_GET['unapprove'])) { $id = intval($_GET['unapprove']); $query = "UPDATE comments SET approve = '1' WHERE id = '$id'"; $result = mysql_query($query); } if(isset($_GET['delete'])) { $id = intval($_GET['delete']); $query = "DELETE FROM comments WHERE id = '$id'"; $result = mysql_query($query); } if(isset($_GET['spam'])) { $id = intval($_GET['spam']); $query = "UPDATE comments SET spam = '1' WHERE id = '$id'"; $result = mysql_query($query); }

instead of using approval or non-approval or deletion or spam, I want to randomize or hash these words and make it as long as possible, and then perform the operation.

How can I do it? how do you feel about this?

EDIT: Please note: only the authenticated user ie Admin will be able to perform this operation. even though it goes through system authentication I want to add more security even for the administrator. avoid experimentation or accident

the code is not accurate, it is just a sample so that you understand what I want to achieve.

+3
source share
3 answers

If you use the GET or POST parameters, it does not really matter in this context - what the script needs is an authentication of sorts. (After that, you can enter security information where GET is slightly less secure than POST - see comments for details.)

I would say that you have two options:

  • Protecting the entire script with .htaccess - no changes needed for the script itself

  • We represent authentication of a third-party PHP user and perform operations only if the user who is logged in makes a request. Requires fundamental changes to the script, but is the most flexible.

Repeat your edit:

Turns out your script is already protected. In this case, I assume that you are uncomfortable with increasing identifiers appearing in the URLs, browser caching, etc. Etc. The usual solution is to create a random key for each comment when it is created (in addition to the incremental identifier). This key is stored in a separate column (do not forget to add an index), and you will agree with it.

Another step will be to create temporary hashes for each action, which is the maximum protection against a number of external attacks.

Repeat your editing about using one-time hashes:

I have never implemented one-time hashes in the admin interface, but I have no experience with this, but I believe that a very simple implementation will store the action hashes in a separate table with hash , record and action columns. Whenever your tool lists several entries and exits "delete / approve / unapprove", it generates three entries in the hash table for each comment: one for deletion, one for approval, one for unauthorized ones. Then the "delete / approve / unapprove" links, instead of the record identifier and the command, will receive the correct hash as the only parameter.

Add a timeout function for unused hashes (plus delete all the hashes that were actually used), and you're done.

+5
source

You can do it this way, $_GET not an insecure thing in your code. Insecurity comes from the fact that you do not verify the user, for example. allowed to delete comments.

In your current code, anyone can delete anything at any time and as needed.

If you have a wrapping code that ensures that the postet from if-statements fails, if enter good reason here , then everything is fine.

But you should try to verify that the contents of the parameters are really integers, and not just int_val'ing them and using them directly in the database.

On your edit

You must verify that your parameter is indeed int. intval("test") will also return an integer, basically 0.

This may require a regular expression to verify that the string consists of only numbers: preg_match('/[0-9]+/', $_GET['id']);

If so, you can perform the action.

+1
source

You should not use GET for any operations that modify data on the server. NEVER. You use it only to receive data.

If you cannot use forms for control buttons (because there is another form outside of them), you should consider this design:

  • You use AJAX to execute POST requests to your server.
  • In environments with javascript disabled, do you use GET links like user.php? action = delete, which shows you a very simple form on a separate page. The heading on the form asks: "Do you really want to delete user X?" and it has two buttons: 1) "Yes" - sends a POST request for a script operation, 2) "No" - which sends the user back to the page where he was
0
source

More articles:


All Articles