Reputation: 1442
Some way how "to prevent" user to modify url
In one page are multiple rows of records (information).
User can click link at the end of each row. Opens new page (popup) like host/pageaddress.php?id=777 777 is id of mysql row. In the new page I display information that is recorded in mysql with id 777.
If user wants, he can change 777 to any other number and gets displayed corresponding mysql row. Modifying id in such way user can access only table and rows which the user is allowed to access. And at the moment I do not know any security hole because of such modification (if someone knows, please, write).
But I do not like to allow user such modifications (feeling uncomfortable). When searched I found information, that I can not prevent user to modify. However know one website, where I can not modify url
Tried to write something in address bar and i can not. I do not know why (maybe because of https?)
So at the moment think of following solution.
At main page create $_SESSION['display'] = 'something';
In new popup page
if(isset($_SESSION['display'])){
echo ' content';
}
Then at the bottom of page unset($_SESSION['display']);
So if user modify url, page reloads and there is $_SESSION['display'] is not set. So no content.
Please, advice if such solution is ok? Some better solution?
Update The above mentioned solution appears useless. But if to think regarding solution, here one another:
1) At main page create hash, and name for example $hash
2) $_SESSION['display'] = $hash;
3) record $hash in mysql
4) in new popup window (file) check if `$_SESSION['display']' exists and is equal to hash in mysql. At the end of page unset hash and delete from mysql
This is just to think about possible solution... does it work?
Upvotes: 1
Views: 4579
Answers (1)
Reputation: 943556
If user wants, he can change 777 to any other number
Yes. There is absolutely no way to control what the user instructs their browser to ask your server for.
and gets displayed corresponding mysql row.
If you only want some rows to be available to the user, then authenticate that user and check if they are authorised to view that row.
For example, some pesudo-code:
if user is not logged in
provide login page
else
if user id matches row's owner id field
provide data
else
provide error message
However know one website, where I can not modify url
That's what happens when you open a popup window and tell it not to show the toolbar. It doesn't provide any security because the user can still copy the URL into a new window and modify it as much as they like.
So if user modify url, page reloads and there is $_SESSION['display'] is not set
That just means they have to copy the URL into a new window between the time they visit the main page and the time they click on whatever triggers the popup.
It's annoying and twiddly, but not secure.
Upvotes: 4
Related Questions
- PHP Prevent URL Tampering
- Procedure for restricting user from typing in php url
- How to restrict user to change the URL in PHP
- Prevent user manipulation of site data through URL?foo=bar
- How to prevent users to change url parameter in PHP?
- Prevent User from entering values into URL
- prevent url access without form submit php
- How can I forbid access to an URL in PHP?
- How to protect access to a url?
- prevent url tampering in php