Secure Deletion method

shmick25

Hi, I am currently writing an administration system for my site and obvioulsy need to delete some records.

Ok, say I am looping through some records in a table:

for ($i=0;$i < 5 & ($row = mssql_fetch_array($results));$i++) {
<td width='20'><a href='".$php_self."?delusr=".$row['user_id'].");'>
<img src='../../../img/admin/admin/tic.gif' width='20' height='14' border='0' alt='Add User'></a></td>
}

The url on the resulting page would be index.htm?delusr=34. It becomes obvious to me that this is a really inscure way to delete database elements as a user could simply type in different id numbers into the url and delete any record they wanted to. Is there way to encode the url? Or what is the best way to create a secure database deletion method?

Thanks in advance!

chriskl

Never let a user see their user_id. Use a session mechanism. Make sure you always AND together what you are deleting with the user_id that they cannot control. Anything else is totally insecure. There's no such thing as 'encrypting' your script variables.

Chris

mikeatrpi

I have a similar setup; if you check the validity / permission again before you actually delete the file then you should be safeguarded. I use sessions to track all my users through my site, which helps make repetitive permission checking possible.

shmick25

Hi, the admin area is protected via the sessions.. i am just a bit perplexed by the way you can stop users from seeing id you want to delete from the query.

Is there an easy way to hide this in invisable form elements? Cheers

mikeatrpi

Invisible form elements aren't really hidden- just look at the source code.

I have a bunch of links:
deletescript.php?id_to_delete=1
deletescript.php?id_to_delete=2
deletescript.php?id_to_delete=3

When a user clicks one, deletescript.php checks and makes sure id_to_delete is one they are allowed to delete before it deletes it. To be extra safe, USERID is registered in the session (it can't be overwritten on the URL line). So in deletescript.php check if USERID is registered and then check if id_to_delete is one that USERID has permission to delete. If so, delete it. If not, error.

[deleted]

" makes sure id_to_delete is one they are allowed to delete before it deletes it."

this is the key, you should not try to prevent people from seeing the userid so they cannot issue the delete command, that is pointless because your admin function is built to enable them to issue delete commands.

You should make sure that the commands they are allowed to delete the userid's they want to delete.

And it pays to not actually delete the rows, but to mark them as 'inactive'.
That way when someone 'deletes' the wrong records, you can run a simple query to reset the records from 'inactive' to 'active' instead of restoring the backup from tape.