CODEWITHSUNDEEP
phpjqueryhtmlcodeigniterrest
user782104
user782104

Reputation: 13555

Codeigniter URI routing and security

In codeigniter or restful structure, the page can be route to through the URI

For example, if I would like to look at the item list of id: 1 , then I just need to create a path like that:

domain.com/item/view/1

And in controller

function view() {
   $id = $this->uri->segment(3);
   //database get data and return view...
}

This should be the standard way to implement restful structure. However, when in the member system, and the item id is dependent to the user, how can I protect the link?

So that other user can not brute force to try different ID and read the other member item.

One approach is just compare the user_id and item_id in each function. But if the system is large that means I need to compare in each function and that is a lot of coding and checking .

Are there any smarter way to reduce the overhead / coding ?

Thanks

Upvotes: 1

Views: 1464

Answers (2)

ZachC
ZachC

Reputation: 76

There is no way to protect URL's. Someone could simply change the number in the URL and fetch different data. If the ID is sensitive, you would not want to pass the information through the URL.

One option is to encrypt the ID being passed in the URL (ex: 29 could be encrypted so it appears as 'S84jG483dJd').

The ID could also be passed through using the code-igniter session library or even with flash data (stored for one request). This way if the ID's are sensitive, the likelihood of anyone altering them would be slim (enable session cookie encryption in CI for more security).

However, if the information is that sensitive, I would always have checks in place before the database is fetched and shown to the user. It is always good practice to code with your users worst intentions in mind!

Upvotes: 2

Abdulla Nilam
Abdulla Nilam

Reputation: 38670

In domain.com/item/view/1, always stands for base_url/controller/Method

so if you create controller (item), then function (view).

class Item extends CI_Controller
{
    public function  __construct()
    {
        parent::__construct();

    }

    public function view($id)
    {
        //so in $id it will assign the 3rd value to it.
        $new_id = $id;
        echo $new_id;
    }

Upvotes: 1

Related Questions