How to have security in id exposed in links - PHP + Javascript

3

PHP language.

I have a grid where I have in each line edit buttons and delete that record with actions in javascript passing the id of that record to take the action. My problem is security related since it may have a sneaky user who changes the id of that button and accesses undue data or deletes it. How to do it safely?

Example of how it's done:

Part rendered in HTML exits +/- so (example of what would exit the grid):

 <td>Dados1</td>
 <td>Dados2</td>
 <td><img src="editar.png" onclick="editar(1)"><img src="excluir.png"> onclick="excluir(1)"></td>
</tr>
<tr>
 <td>Dados3</td>
 <td>Dados4</td>
 <td><img src="editar.png" onclick="editar(2)"><img src="excluir.png"> onclick="excluir(2)"></td>
</tr>

and in javascript

function editar(id) {
   // chamada em ajax pra controller passando o id via post
}

function excluir(id) {
   // chamada em ajax pra controller passando o id via post
}

Any suggestions on how to do it safely without exposing the id to the user?

    
asked by anonymous 12.01.2017 / 14:17

3 answers

2

Good afternoon, my friend. Recently I had a similar dilemma. following your code example I solved using the cryptoLib class available at link

  • First we create the functions
  •  require("path/to/cryptolib.php");
    
     function tokenizer($id){
     $token = CryptoLib::encryptData($id, "token");
     return $token;
     }
    
     // Função simples para decodificar o token recebido após click no elemento
    
     function decodeToken($token){
     $decryptedString = CryptoLib::decryptData($token, "token");
     return $decryptedString;
     }
    

    EXAMPLE: In your html the code can be applied as follows

    <td>Dados1</td>
    <td>Dados2</td>
    <td><img src="e.png" onclick="editar(<? echo tokenizer($row["id"]) ?>)">
    <img src="del.png"> onclick="excluir(<? echo tokenizer($row["id"]) ?>)">
    </td>
    </tr>
    <tr>
    <td>Dados3</td>
    <td>Dados4</td>
    <td>
    <img src="e.png" onclick="editar(<? echo tokenizer($row["id"]) ?>)">
    <img src="del.png"> onclick="excluir(<? echo tokenizer($row["id"]) ?>)">
    </td>
    </tr>
    

    HTML OUTPUT: In your html rendered the source code will be similar to the example below:

    <td>Dados1</td>
    <td>Dados2</td>
    <td><img src="e.png" onclick="editar("ctnbCH1FXdr41JYI9J82sXjGKbFvIUP3pshgL8KaZsYsEFqFco3NgimLy2xAj")">
    <img src="del.png"> onclick="excluir("gimLy2xfUP3pshgL8KaZsYsEFqFco3NAjctnbCH1FXdr41JYI9J82sXjGKbFv")">
    </td>
    </tr>
    <tr>
    <td>Dados3</td>
    <td>Dados4</td>
    <td>
    <img src="e.png" onclick="editar("IUPIUP3pshgL8KaZsYsEFqFco3NgimLy2xAj3pshgL8KaZsYsEFqFco3NgimLy2xAj")">
    <img src="del.png"> onclick="excluir("8KaZsYsEFqFco3NgctnbCH1FXdr41JYI9J82sXjGKbFvIUP3pshgLimLy2xAj")">
    </td>
    </tr>
    

    In your CRUD in PHP. Use the token validation function:

    $ id = decodeToken ($ token);

    The function returns the id to use in handling CRUD.

    Conclusion:

    When calling the function

    tokenizer($row["id"]);
    // O valor retornado para token
    sXjGKbFvIUP3pshgLim8KaZsYsEFqFco3NgctnbCH1FXdr41JYI9J82Ly2xAj
    

    When you receive the token, sent by javascript, it calls the

    $id = decodeToken($token);
    // se o valor do $row["id"] informado para a função tokenizer() for igual a "99".
    // a função retornará o equivalente a:
    $id = 99;
    

    Advantages:

    Each time the pages are rendered, the generated token for each $ row {"id"] is unique and random.

    I hope this helps to heal your doubts.

        
    12.01.2017 / 18:36
    1
      

    My problem is security-related since it can have a sneaky user that changes the id of that button and accesses undue data or excludes it.

    Assuming you only allow proper actions to be taken against user validation, then it is not a matter of security breach.

  • If user X can change or remove such content then everything goes fine.
  • If for some reason you rely on external 'validations' and PHP     assume that the request is true without validating the user, then     we have a problem.
  • If you have access to actions to 1 and 2 content and you have a delete.php?id=1 button, even changing the ID, you can change content without problem. The link can only allow it to change to the ID of a content other than its content and execute the action.

    Note that the user will always see the reference even if you have a hash for the ID.

        
    12.01.2017 / 15:19
    0

    The part that is in the client (JavaScript, HTML, CSS) can always be manipulated, you need to validate the data on the server side (PHP, in your case), there you will have the last ID, just check that user can actually edit that element before actually editing.

        
    12.01.2017 / 15:19