Protecting user options from other users

Question

Protecting user options from other users

Navigation

#1 by (2 votes)

0

I'm developing a system where every user has options to delete, add, or update, whatever it is. Let's say that I, as a user logged in with ID = 6, have the options to delete one of my photos.

When I click on one of my photos it is through a link like this

photo_op.php?id=42&p=images/user/QzEckSX.png&o=6

where ?id= to image id, &p= to image path and &o= to whom the image belongs, in this case o=6 .

I'm checking if the photo is from the logged-in user, if it is then displaying the options, if not then just show the image. This way:

$id_user=$_SESSION['id'];
$owner=$_REQUEST['o'];


if ($owner != $id_user){
    echo "";

}else{
echo "<div id='photo_op'><a href='eliminar_photo_p.php?id=$id_photo'></a> ";
echo "<a href='add_photo_p.php?id=$id_photo'></a></div>";
}

The problem is that the user with id = 11 if they "inject" the ID = 6 in the link that belongs to ID = 6, the user ID = 11 has access to the ID = 6 user options.

What is the best way to display the options to the user without the user having to be injected into the url?

For example, as I own the image I have this link:

photo_op.php?id=42&p=images/user/QzEckSX.png&o=6

But if the other user of id = 11 does this:

photo_op.php?id=42&p=images/user/QzEckSX.png&o=11

he will have access to the options to delete this photo he does not belong to.

My login.php file looks like this:

<?php 
include('init.php');


//echo $_POST['txtemail'];
//echo $_POST['txtpassword'];


//CONSULTA DO UTILIZADOR
$consulta="Select * from user where email='" . $_POST['txtemail'] . "' and     senha='" . $_POST['txtpassword'] . "'";
$resultado=mysql_query($consulta);
if (mysql_num_rows($resultado)>0) //SE O EMAIL E A PASSWORD COINCIDIREM
{
//COLOCA NA VARIAVEL LINHA OS DADOS DA CONSULTA
$linha=mysql_fetch_array($resultado);
//COLOCA O EMAIL EM SESSAO
$_SESSION['email']=$linha['email'];
$_SESSION['username']=$linha['username'];
$_SESSION['id']=$linha['id'];
$_SESSION['status']=$linha['status'];
$_SESSION['genero']=$linha['genero'];



$_SESSION['last_login']=$linha['last_login'];
$_SESSION['nlog']=$linha['nlog'];
//REDIRECCIONA A PAGINA PARA A PAGINA SECRETA
include('q/status_update.php');
include('q/nlog_update.php');
header("location: home.php");
}
else //CASO NÃO COINCIDAM
{
//REDIRECCIONA PARA A PAGINA INICIAL REPORTANDO O ERRO
header("location: index.php?erro=1");
}



?>

My get_photos.php is as follows:

<?php 
$id_s=$_SESSION['id'];
$sql ="SELECT id, user_id, location FROM photos WHERE user_id=$id_s";

$result = $conn->query($sql);

if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {


echo " <a class='galeria_p' onclick='goclicky(this); return false;'   target='_blank' href='q/photo_op.php?  id=".$row['id']."&p=".$row['location']."&o=".$id_s." ' ><img class='img1'   width='118px' height='118px' src=".$row['location']."></a> ";      

}
} else {
echo "0 results";
}
?>

php

asked by anonymous 25.02.2016 / 18:33

1 answer

HTML manipulation with PHP / JS Best format for working with sum of money on android [duplicate]

score 2 · Accepted Answer

Before, you will have to check if the image belongs to the logged in user:

Let's remove the $owner=$_REQUEST['o']; line because the responsibility to inform who owns the image is not the client but the server. Letting the client say whether or not the owner of the image is a security flaw.

It's the same thing that you get in a gated community and ask to enter the apartment and the porter leaves just because you said you own it.

$id_user = $_SESSION['id'];

// Vamos remover um possível ataque via sql injection
// Atenção que no PHP 5.5.0 em diante o método mysql_real_escape_string 
// e a extensão mysql são deprecated, ou seja, 
// serão removidos de versões futuras (o PHP 7 já removeu penso eu).
// Passe a utilizar a extensão mysqli (com "i" no fim).
$id_photo = mysql_real_escape_string($_REQUEST['id']);

$sql ="SELECT 1 FROM photos WHERE id=$id_photo AND user_id=$id_user";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    echo "<div id='photo_op'><a href='eliminar_photo_p.php?id=$id_photo'></a> ";
    echo "<a href='add_photo_p.php?id=$id_photo'></a></div>";
} else {
    echo "Seu malandro! Você não é o dono da imagem!";
}