Reputation: 1367
Create secure anchor references to database entries
I am working on a workbank in Code Igniter where people add, edit and review documents. Document information is stored in a MySQL table somewhat like this:
CREATE TABLE `document` (
`owner` varchar(15) NOT NULL,
`id` smallint(6) NOT NULL AUTO_INCREMENT,
`pdf` varchar(250) NOT NULL,
`title` varchar(250) NOT NULL,
`permission` tinyint(1) NOT NULL DEFAULT '1',
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`,`pdf`),
) ENGINE=InnoDB AUTO_INCREMENT=35 DEFAULT CHARSET=utf8
The pdf field is the name of the file. Combined with the id they make up for the primary key of the table.
On the frontend part of the application, users often see and use lists of these documents and I want to attach links to them. Imagine that such a link can be created like this:
<a href='some_controller/some_method?pdf=<?php echo $document->handle; ?>'>Link</a>
Where the handle attribute of a supposed $document object is a unique identifier that method some_method uses to load the document that the user clicked.
What is the most secure database field for this? I considered the id field but its auto_increment seems insecure and would allow people to fiddle with the HTML to get forbidden documents. Should I add another unique column with a random n-digit or string hash?
Upvotes: 0
Views: 57
Answers (1)
Reputation: 1145
You can do a lot of things here. About what you suggest of creating a new column on your table and saving the hashed id of the document there will increase a little bit the 'security', so the probability of randomly type an existing id is lower.
But I don't think thats the proper way to do that. My recomendation here is to create a new table that relates the avaible documents per every user, or a table that relates the methods with the users, depending on your application needs. For example:
//documents_for_users
document | user
0803161 | 1
0803162 | 1
Once this has been done, on your method call, you have to check for this relation between tables before do anything with the document.
Controller
function some_method(){
$id = $this->input->get('pdf');
$user = $this->session->userdata('userid');
if ($this->my_model->check_permission($id,$user) {
// do your stuff with document then
}
}
Model
function check_permission($id,$user){
$this->db->select('*');
$this->db->from('documents_for_users');
$this->db->where('document', $id);
$this->db->where('user', $user);
$query = $this->db->get();
if ($query->num_rows() > 0){
return true;
}
return false;
}
This way your security would be significantly increased
Upvotes: 1
Related Questions
- Cannot add or update a child row: a foreign key constraint fails
- Secure hash and salt for PHP passwords
- Invalid default value for 'dateAdded'
- How to solve Error Number: 1452 - Cannot add or update a child row: a foreign key constraint fails
- Liquibase: How to set Charset UTF-8 on MySQL database tables?
- show data with join table in codeigniter
- Insert Data from array to database on Codeigniter
- Friend system in PHP/MySQL?