#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2003
    Posts
    105
    Rep Power
    15

    Php security question around user updates


    hi-

    i'm trying to figure out the best and most secure way to have users update information on my site.

    a user has an account with a password and they log in. should all SQL queries (changes to a user) be based off the logged in user's session id?

    for example each clause would have: "WHERE user_id = $_SESSION['current_user']"

    because if you hard code a user's id in a form, that could be manipulated and someone could update other users.

    for example:
    "WHERE user_id = $_POST['user_id']"

    is that the best way to handle the situation? any and all updates by a user must use a session id to ensure they are only making changes for themselves?

    thanks for any help!
  2. #2
  3. Introspective
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    3,317
    Rep Power
    113
    Yes, you should use the session id to identify the user, but whether you take that from a form element, or from the cookie, they have both been loaded up to the browser and are therefore open to manipulation.

    So you need to match up something in the back end - I would store the users user_id in the session data, so keying against the session id, you can then retrieve the user's unique id from $_SESSION['user_id'].

    That still won't make your page 100% secure - You have the risks of XSS, SQL injection and XSRF, which you should take measures to protect against.

    christo

    Comments on this post

    • jabba_29 agrees
    This is me: http://chris.uk.com
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2005
    Posts
    89
    Rep Power
    13
    Hi christo,

    could you please explain it with some examples, that would be really great, and also about these attacks, i heard about SQL injection but what about XSS and XSRF.

    Thanks.
  6. #4
  7. Introspective
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    3,317
    Rep Power
    113
    Originally Posted by saeedahmad1981
    Hi christo,

    could you please explain it with some examples, that would be really great, and also about these attacks, i heard about SQL injection but what about XSS and XSRF.

    Thanks.
    http://en.wikipedia.org/wiki/XSRF
    http://en.wikipedia.org/wiki/Cross-site_scripting

    christo
    This is me: http://chris.uk.com
  8. #5
  9. Web Developer/Musician
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Nov 2004
    Location
    Tennessee Mountains
    Posts
    2,424
    Rep Power
    1034
    To be a tad more clear about this. When a user logs in, get the unique id of their record in the database, and store it in a session variable. Thereafter, any time you need to get information regarding that person during their visit to the site, use that id to get it. A session id will be different for each time that a person visits the site, so it only identifies them for as long as their session is alive. If they come back days later and log in, the session id will not be the same as the previous one.

    XSS, SQL injection, mail header injection, all are similar in that in one way or another, someone is injecting their own code into a system that is generating code or a protocol to be parsed, with the goal of tricking the system into running that code as if it were legitimate input.
    Coder Central Tutorials, news and information for the programming community at large.

IMN logo majestic logo threadwatch logo seochat tools logo