SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,761
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Securely Viewing PM

    So I have build a PM System that seems to work, but I need an outside opinion if how I am displaying the User's Private Message is secure enough. (Since this module is like 2,000+ lines of code, I can't just post everything here.)

    When a User in in his/her Inbox and clicks on a Message entry, it sends the User to my "view_pm.php" script and a URL like this would be created...

    Code:
    http://local.debbie/account/view_pm.php?msgview=incoming&msg=2
    In order to view the PM, the User has to be logged in, and my Message query looks like this...
    PHP Code:
        $q2 "SELECT member_id_to, m_to.username AS username_to, m_to.photo_name AS photo_to,
                    member_id_from, m_fr.username AS username_from, m_fr.photo_name AS photo_from,
                    subject, body, sent_on, read_on
                FROM private_message AS pm
                INNER JOIN pm_recipient AS r
                ON pm.id=r.message_id
                INNER JOIN member AS m_to
                ON m_to.id=r.member_id_to
                INNER JOIN member AS m_fr
                ON m_fr.id=pm.member_id_from
                WHERE r.member_id_to=?
                AND pm.id=?"

    Notice that in the last two lines I am checking that the request is for a... 1.) Valid PM, and is from a 2.) Valid Member

    I get the "MemberID" from the User's Session.

    What worries me is if just passing "&msg=2" in the Query String is enough??

    It shouldn't matter, since I am pairing that up with the "Member ID", but I just wanted another opinion.

    BTW, I have tested my code and it appears to be working fine.

    Thoughts?

    Thanks,


    Debbie

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    As long as your using prepared MySQL bindings for your query you shouldn't have any issues as the SQL query is where 99% of all hacks occur because of un-escaped strings, apart from that there wouldn't be any other way for someone to gain access through the view_pm.php unless they had direct access to your file system which happens if your code in general has a security hole in the login form for example.

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,761
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by chris.upjohn View Post
    As long as your using prepared MySQL bindings for your query you shouldn't have any issues as the SQL query is where 99% of all hacks occur because of un-escaped strings, apart from that there wouldn't be any other way for someone to gain access through the view_pm.php unless they had direct access to your file system which happens if your code in general has a security hole in the login form for example.
    Yes, I'm using Prepared Statements.

    And I follow what you are saying, but you are missing my key point...

    If you have the "Message ID" that is technically all you would need to access the PM in the "Private Message" table, because it alone uniquely identifies a PM.

    Now of course you couldn't run the query to get the whole...
    To:
    From:
    Date:
    Subject:
    Body:
    ...but still.

    Like I showed, I am using the Member's ID from the $_SESSION to make sure that only the SENDER/RECEIVER can see the PM, but I just wanted to be sure I wasn't missing something.


    Debbie

  4. #4
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    As long as your authenticating the user on each page load there is no way someone could gain access unless the script has a security hole during the auth check which allows someone to spoof the session data easily in which case would allow a hacker to gain access to pretty much every account if they can guess one.

  5. #5
    SitePoint Addict kduv's Avatar
    Join Date
    May 2012
    Location
    Maui, HI
    Posts
    211
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Also make sure you're stripping and/or encoding the message output to prevent XSS and the like.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •