SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Dec 2011
    Posts
    221
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)

    Delete,update in get method

    Greetings! I found this tutorial
    http://phpeasy.co.uk/tutorial-object...-crud-methods/ so great! But I have a small problem about the update and delete part, I don't understand, but I found my own way to solve it, I just add another method and it works well.
    Code:
     public function id()
    	{
    	return $this->id;
    	}
    My problem is I'm using GET method in deleting my items and I don't know how to secure my data. Whenever I tried to put in my url mysite/delete?='id value here' , my data deletes even if I'm using pdo. Is there any way to prevent user from doin it? thank you.

  2. #2
    SitePoint Enthusiast
    Join Date
    Feb 2012
    Location
    United Kingdom
    Posts
    77
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by claro View Post
    My problem is I'm using GET method in deleting my items and I don't know how to secure my data. Whenever I tried to put in my url mysite/delete?='id value here' , my data deletes even if I'm using pdo. Is there any way to prevent user from doin it? thank you.
    I believe you're referring to Cross-Site Request Forgeries (or CSRF); in which the database API would have no affect on it. A security feature known as a nonce can help prevent the problems you're having by passing a unique token through the request URI (and validated on the other end with a session variable). Here's a quick example to demonstrate:

    index.php
    PHP Code:
    <?php session_start();
    $_SESSION['nonce'] = md5(mt_rand());
    ?>
    <!DOCTYPE html>
    <html>
    <body>

    <a href="action.php?do=delete&gid=1&id=1&ext=php&tok=<?php echo $_SESSION['nonce']; ?>">Delete Something</a>

    </body>
    </html>
    action.php
    PHP Code:
    <?php session_start();

    if(isset(
    $_GET['tok']) && $_GET['tok'] === $_SESSION['nonce'])
    {
        
    #valid data
    }
    ?>
    That's one common method of preventing CSRF; the other method (if you didn't want to go through the hassle of setting up nonces) would be to handle the data via the HTTP POST method.

  3. #3
    SitePoint Addict
    Join Date
    Dec 2011
    Posts
    221
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Thank you very much sir! I'll just google what 'nonce' is all about. Thank you, thank you!

  4. #4
    SitePoint Enthusiast
    Join Date
    Feb 2012
    Location
    United Kingdom
    Posts
    77
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by claro View Post
    Thank you very much sir! It works well but can you enlighten me about this line
    Code:
    o=delete&gid=1&id=1&ext=php&tok=<?php echo $_SESSION['nonce']; ?>
    That was just a random URI example of a HTTP GET request used to perform an action. The unique token (in the session variable) is echoed out so that it's in the URI link; making the link valid on that page for when you want to use the action.

  5. #5
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by daro
    My problem is I'm using GET method in deleting my items and I don't know how to secure my data.
    Another potential problem you may need to guard against is that using GET to delete things can have unforeseen side effects.

    A bot could index your site and accidentally delete everything.

    Even when logged in, a mischievous user could delete items in their own account, or the accounts of others by just creating a load of sequentially numbered html links.

    GET should be used to do just that get things.

    There are ways to defend against this, including :

    • Not actually deleting anything, just setting a flag in your table in a column named display (0 / 1) **
    • Making sure each Mysql user only has delete privileges for their own tables
    • Limit the number of deletes per minute, say
    • Use the POST method for deletes, inserts, updates etc



    Just something to bear in mind, 'tis all, and much depends on your situation.

    ** that might mean you can offer an undo option, or look upon old data as an "archive".

  6. #6
    SitePoint Addict
    Join Date
    Dec 2011
    Posts
    221
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I'll remember that! thank you !


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •