1

I'm working on an existing PHP page that was coded this way:
There is a list of users with a link next to each user to show the details of that particular user.

The problem is the id of the user is displayed in the url which means any user can just change the id in the url and get information about any other user in our database. Now my first thought was obviously to change GET method to POST method but the problem is the link is forced to display the id, here is the code: 

echo " - <a href='example.com/fiche-commercial.php?idCommercial=".$row['id_utilisateur']."&nomClient=' class='linkOut'>show public user details</a>

this is in the CRM side, and in the website side we have : 

$idCommercial = $_GET["idCommercial"];
$tabQuestion{'idCommercial'} = $idCommercial;

I changed get method to post method but it didn't fix the issue so i get in the url :

example.com/fiche-commercial.php?idCommercial=22

Improve this question
5
  • 2
    And even if you use POST, that doesn't change anyhting in respect to security, as any technical student is able to modify and sent POST request as they like. Your application design is insecure and if you want to hide user data from other users you will need another approach. Commented Apr 12, 2018 at 8:21
  • If these are public links to user profile pages, then why is this an issue? Do you not like leaking internal identifiers? Are you worried about a a numeric crawl of your user ids for scraping? Commented Apr 12, 2018 at 8:24
  • Well I agree with the security part, actually I didn't code this page, and apparently the coder's approach was to display the page in the website supposing that only the internal users will use this page so technically it's not suppose to be public or display the id in the url Commented Apr 12, 2018 at 8:28
  • I'm reading this as: a client might have a profile at clients/foo, and you are worried they may look at clients/bar? Could you not restrict access to the profile page to admins and the client foo to only clients/foo? Perhaps you could clarify your question. Commented Apr 12, 2018 at 8:37
  • 1
    I've simplefied your question a bit :) Commented Apr 12, 2018 at 8:50

2 Answers 2

Reset to default
1

You are correct, the user can simple change the ID and then the user gets that form. They could just do id=1 and they'll likely get an admin.

However, this is not a big problem. You have to send an ID, as your server needs to know which user it has to display, it has to know somehow what the visitor has click. You've encountered rule number one regarding input from the client side: Never trust input from the client side.

The solution lies in another direction: You always distrust user input, always treat it as bad/hacky/invalid data. That way, you should cover most of the problems (this is a practice you should learn asap!).
In your specific question the solution is simple: Make a function whichs checks if the client may see the data of that user. A function which does that is called a 'voter'.

// An example voter. Note: It's crude and might be written better, but it's a demo:
function hasViewAccess($requestedItem){
    if( $loggedInUser->isAdmin(){
        return true;
    }
    elseif( $requestedItem->id == $loggedInUser->id ){
        return true;
    }
    return false;
}

Just look around the weg, so many sites with with an ID plainly in the url. Just take a look at this very page, it's ID is 49791335. I can change it and it'll keep working, untill I hit a page which gives me "not allowed". I can't do any harm at all, it has already decided I'm not allowed.

What if you want to send an extra parameter? Or 9? You don't want to encrypt/decrypt everything, it makes no sense. It just takes up CPU resources, and the moment someone figures out which encryption you used, then can still mimic every other ID again.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This hasViewAccess function may be used in each php page that need so accessright to be shown. You should also check who can access the page where you have the full list of users.
0

I found another solution which is to simply just encrypt the id in the url since I need the id to be present in the url, So I used base64_decode/encode

Improve this answer

4 Comments

Anyone with some technical skill (and the ones messing with your site are often too) will recognize base64. This'll take me 1sec longer :)
And, this might be just me, when someone is trying to hide stuff from me, I often go in "Challenge accepted!" mode, where a simple ID is just an ID
@Martijn is there a better way to encrypt the id ?
Yes, various, just google "PHP encrypt". But just take a look at this specific page. There is an ID in the url (eg: 49791335). It's not encrypted as that is overkill. Also, de-/encrypting takes up CPU power. Sure, there are cases when you want to encrypt. yours is not one of them.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.