Delete,update in get method

[claro]

Greetings! I found this tutorial
http://phpeasy.co.uk/tutorial-object...-crud-methods/ so great! But I have a small problem about the update and delete part, I don't understand, but I found my own way to solve it, I just add another method and it works well.

Code:

 public function id()
	{
	return $this->id;
	}

My problem is I'm using GET method in deleting my items and I don't know how to secure my data. Whenever I tried to put in my url mysite/delete?='id value here' , my data deletes even if I'm using pdo. Is there any way to prevent user from doin it? thank you.

[tpunt]

My problem is I'm using GET method in deleting my items and I don't know how to secure my data. Whenever I tried to put in my url mysite/delete?='id value here' , my data deletes even if I'm using pdo. Is there any way to prevent user from doin it? thank you.

I believe you're referring to Cross-Site Request Forgeries (or CSRF); in which the database API would have no affect on it. A security feature known as a nonce can help prevent the problems you're having by passing a unique token through the request URI (and validated on the other end with a session variable). Here's a quick example to demonstrate:

index.php

PHP Code:

<?php session_start();
$_SESSION['nonce'] = md5(mt_rand());
?>
<!DOCTYPE html>
<html>
<body>

<a href="action.php?do=delete&gid=1&id=1&ext=php&tok=<?php echo $_SESSION['nonce']; ?>">Delete Something</a>

</body>
</html>

action.php

PHP Code:

<?php session_start();

if(isset($_GET['tok']) && $_GET['tok'] === $_SESSION['nonce'])
{
    #valid data
}
?>

That's one common method of preventing CSRF; the other method (if you didn't want to go through the hassle of setting up nonces) would be to handle the data via the HTTP POST method.

[claro]

Thank you very much sir! I'll just google what 'nonce' is all about. Thank you, thank you!

[tpunt]

Thank you very much sir! It works well but can you enlighten me about this line

Code:

o=delete&gid=1&id=1&ext=php&tok=<?php echo $_SESSION['nonce']; ?>

That was just a random URI example of a HTTP GET request used to perform an action. The unique token (in the session variable) is echoed out so that it's in the URI link; making the link valid on that page for when you want to use the action.

[Cups]

My problem is I'm using GET method in deleting my items and I don't know how to secure my data.

Another potential problem you may need to guard against is that using GET to delete things can have unforeseen side effects.

A bot could index your site and accidentally delete everything.

Even when logged in, a mischievous user could delete items in their own account, or the accounts of others by just creating a load of sequentially numbered html links.

GET should be used to do just that get things.

There are ways to defend against this, including :

• Not actually deleting anything, just setting a flag in your table in a column named display (0 / 1) **
• Making sure each Mysql user only has delete privileges for their own tables
• Limit the number of deletes per minute, say
• Use the POST method for deletes, inserts, updates etc

Just something to bear in mind, 'tis all, and much depends on your situation.

** that might mean you can offer an undo option, or look upon old data as an "archive".

[claro]

I'll remember that! thank you !