url variables and security

dominant

What about the security of the $_GET[something] variables?

feldon23

Obviously they're completely insecure and you don't want to put any important information in them.

dominant

What can we do instead? using encrypted info in the url variables, sessions?

feldon23

Don't use URL variables. Use POST method (like a form) or SESSIONs.

Although all transmissions between a computer and a website are insecure unless the website is using https encryption with a certificate and all that.

dominant

Well, how SESSIONS could replace the GET variable when you have the following example


<a href="showthread.php?threadid=4"> Click on me! </a>

the showthread.php should consists of the GET variable in order to get the specific thread with the id=4

Moonglobe

well then dont change that one to a session variable.....its not like its sensitive data or anything 😉

dominant

Definitely, there is fear of sql reversing. That is what i want to prevent.

I feel that you can control the $_GET variables 100%

Moonglobe

SQL reversing? what, you mean visible posting of DB data that shouldn't be there? there's almost no chance of that if your code is good, and im assuming its not yours but a proffessional claibre forum such as phpbb or vb we're tralking about (or is this in general? you're not entirly clear). of course you cant control them 100%, but thats a tradeoff between flexibility (do you really want users to have to initiate POST headers themselves for each page?) and security (you can't see POST headers (well yes you can, but most people dont really want to screw some personal site/fansite/clansite/non-microsoft(😉) site up 🙂)). so take it or leave it, if you're really concerned use https. just be smart and dont put stuff open for everyone to see (or spoof) in the URI.

mho
moon

dominant

Well, i mean that you cound change entirely an SQL statement playing smartly with the GET vars

Moonglobe

only if you're passing pretty detailed stuff in the URI, unless you mean you're displaying everything in a row with only the id as input and not checking anything on the page to see aht they are how they say they are AND its actually very important data that you're sending........ sry for ranting but i jsujt dont see what the point is unless you're running something that people REALLY want to see.

Weedpacket

The security level of anything coming from the client is simple: there isn't any. Whether it's $GET[] or $POST[] there's no way of ensuring that you only receive legitimate requests, because people and programs can fire whatever they like at your server, from legitmate http requests; through illegitimate ones with anything they like in the headers and body; right down to and including random noise (although only signals that conform to the http protocol would get as far as being processed by PHP).

If you want to secure the content of anything you send to the client you have to ensure that whoever or whatever you're sending it to is authorised to receive it. And even then you'll need to check that any requests that come in did so from legitimate users. And you'll still need to check that the requests you receive are valid.

dominant

I want to show everything from a table using the id as input. However, some rows must be invisible(use password).

Thus, playing with the GET we can "see" those rows which have been defined as protected (there is a field in the table (boolean) that determine if a row is protected or not)

dominant

Reading the secure programming http://www.zend.com/zend/art/art-oertli.php i ended up that casting is the best trick.

What do you say?

superwormy

Weedpacket is on the right track... you should listen to him.

Type casting won't ensure that you're rows are still not able to be displayed, but type casting is a good idea, yes.

If you have that booleen already, you should be able to key off that boolean and make sure they're logged in / have provided a password...

feldon23

This is just a user input validation issue.

dominant

can someone escape from the casting or it is 100% secure?

superwormy

Type casting simply forces a variable to be of a certain type, whether that be string, array, integer, etc.

Not even sure what you had in mind asking if you can 'escape' from type casting...

The bottom line here is YOU CANNOT TRUST USER INPUT.

The only thing you can do to ensure that people don't break things by giving you teh wrong input is to CHECK IT. This means type casting, checking to see if user input is valid ( i.e.: make sure they enter an email address into the email address field, an integer when you're being passed a database ID, etc. ) and always checking to make sure the expected input is actually there. Use the super-global arrays $GET, $POST, etc. and log errors and other disasters do you can see what happened and fix it later.