开发者

How can I hide a $_GET variable to be more secured in PHP?

So far all my sites use mostly $_GET's to get the data for a page.

Ex:

editad.php?posting_id=131

editaccount.php?user_id=2

-->is there a way to hide or be more secured about what the user can see? I don't want them to be just able to say type "editad.php?posting_id=40" in th开发者_C百科e URL. I know I can use POSTS, but is there a way for GETs or not?

-->I pass along data through a GET, then validating that data by checking if the user's id is equal to the page's user's id. If they are equal, it would allow the user to edit that page, if not, it would only show that page. I also make sure a number is a number, a string a string, etc. Is there any other way to make it more secure?


there's nothing wrong with passing query parameters like that in _GET. _POST is no more secure.

If a user is able to edit ad 30, but not ad 31, your code needs to enforce those rules.


No, you can not do this with $_GET. To obtain security through obscurity*, you can use the $_POST variable, but $_POST is also insecure (and can be modified by the user). You should always validate incoming data, regardless whether you use $_GET or $_POST, and ensure that the user is permitted to access the data.

*This will only be obscure to laymen. It will be immediately transparent to any interested programmer/hacker.


The only way to secure data from eavesdroppers is to use POST over https://.

However, there is no way to secure from the the user, since the user can modify for GET and POST data easily.


Talking about security, you may consider using either of the following :

  1. Use session to pass the variables
  2. Add a salt+hash key in the url to be passed.

sender :

$hashedKey = sha1( $salt + 'posting_id=131' );
editad.php?posting_id=131&$key=$hashedKey; 

receiver :

$params = getUrlParams();
$hashedKey = sha1( $salt + params );

if ( $_POST['$key'] == $hashedKey ) 
   continue; 
else 
    displayError();


You answered your own question*, you use POST.

  • However, I'm not sure what you mean by "more secured". It's a web page, you can look at the source and see what key/value pairs are being posted to the form.


If you want to hide the parameters from the user, you could always serialize your data and pass an encrypted string in the query. POST doesn't improve security and shouldn't be used if you are not sending data to the server.

Note that depending on your application, even encryption is not enough. For example, if you are passing a security token, it's easy enough to steal even if you can't look at the contents and you would need to use https as well as a few other things. But that's an entirely different can of worms.


Maybe you could use session-state to keep track of this information instead. PHP has inbuilt functions which will manage the session state for you.

Users can't see this as the session information is stored on the server only.

Then you can basically access and store information using the $_SESSION array.

Here are some websites I just found in google about session state:

  • http://www.w3schools.com/php/php_sessions.asp
  • http://userweb.cs.utexas.edu/~mitra/csFall2005/cs329/lectures/php.html


In this age of Firefox and Firebug it's not that easy to hide what values are being passed from page to page, especially if it's with the URL...

Any "interested parties" can use the developer tools that come bundled with the browsers to pry and look how the page actually works....

The only solution, as many others suggested above is to encrypt the part that shows the user's identification with some ingenuity so that only the developers know how it works....

Example : Why pass it as 'user_id'....? Try passing it as 'cxv=32'... Additionally you can encrypt the actual id with some algorithm and then decrypt it back in the next page.. This may stop any attempted modification of the URL... at least, it can make it hard...!!

Just use your imagination...! ;)


One thing that people haven't mentioned yet is the use of the PHP extension Suhosin here. You can fix a number of known security holes in PHP's superglobals by installing Suhosin, and additionally, control the maximum array length/depth/size for each of $_GET, $_POST etc. It also provides transparent encryption of session data. Excerpt from the standard suhosin.ini configuration file:

The encryption key used consists of [a] user defined string (which can be altered by a script via ini_set()) and optionally the User-Agent, the Document-Root and 0-4 Octects [sic] of the REMOTE_ADDR.

Suhosin should still be used with $_SESSION over HTTPS, as there's no feasible way to protect against loss of information without using encryption in the transport layer. And you should salt your session ID with something similar to Suhosin's method for encrypting the session data itself (using something semi-unique to the user, and maybe the time or date too).


One way to be a little more secure is to use a random session id instead of a clear text user id. Once a user logs in, create something like 41b96964c35747e19019d2d0f2efb0d1 and use this for the session to identify a user. This way another user cannot just guess the next id.


What I usually do is urldecode it (just to get the raw value) and then run this function

function safedata($original) {
 return stripslashes(strip_tags(htmlspecialchars(trim($original))));
}

Works like a charm. Additionally, you can add mysql_real_escape_string() to the function if you're already connected to a database.


use nextpage.php?uid=base64_encode($id); and on nextpage.php use

$user_id=base64_decode($_GET[uid]);
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜