I have post request to increase the liking number on records in database. The php file and the GET paramters are sown in the post request so any one will see the page source will be able to process that exteranlly via the php file.. so is it a way to hide those information, and if not .. so what is the most secrue way to hit the databse without showing secure data like that?
$.post("liking.php?id="+rank_id+"&lik="+lik+"&dis="+dis,function(data){}
If you are doing the POST from jquery like that then the variables are going to be visible to the user in the source. This is not a problem as your security should be server side.
In your file: liking.php
You need to add some kinds of checks to prevent users from repeat likes if that is your goal.
If you want to limit a like to one per user then you need to log the like to a table somewhere with the userid (if they are logged in) so you can prevent double likes.
If you are allowing non-logged in users to submit likes then you will want to limit them somehow. Perhaps using PHP sessions to not allow another like in the same session for the same rank_id. This can be session based or time based.
Here are a few other questions that might lead you on the path:
How do I make sure my like button is pressed only once by user?
How to secure/encode Javascript POST requests
Related
I want to track and save to my local DB any event where my website's users click on links.
the user ID is saved in session information.
Links are structured like this: example.com/go.php?d=1234 , with 1234 being example for concrete link user want to go to.
Right now, on go.php, I use _GET and then redirect to user to the actual link (by searching another DB table to find the matching link for the d value, such as 1234.
I want the tracking to happen simultaneously, on server side only, in order to avoid slowing or undermining the redirection process of the user.
Therefore, my idea is to have go.php call another php script on my localhost - track.php.
And inside track.php do an INSERT with the user's data into another DB table, so if anything fails with the insertation, user will not be affected.
How can I pass data like the user's ID and the link ID that was clicked (and other info I plan to collect, such as user agent, resolution, referrer page, etc), under those requirements?
I can't use session since session are stored on the user's machine and I don't want user to have any interaction with this script, and even if session is stored on server, there can be multiple users who will click the same time on links and overwrite the session info I guess.
I don't want to pass info via a URL and use _GET to extract it, since I don't want to use an HTTP request, it makes no sense to use one (speed and security perspective), if everything should happen on my local host.
I don't want to use an include since like I said, if anything in the track.php code will fail, if it is included within go.php, this can cause fatal error and undermine the redirection process.
EDIT:
Is it possible for example to trigger track.php, the same way as cron jobs are triggered?
For example, If one can set a cron job like:
php /home/user/backend/track.php user_id=1 link_id=1234 user_agent="mozilla 1.7/85"
and pass parameters this way, so maybe in script I can do something like:
some-php-function(php /home/user/backend/track.php user_id=1 link_id=1234 user_agent="mozilla 1.7/85")
So maybe something like:
shell_exec(php /home/user/backend/track.php user_id=$u_id link_id=$l_id user_agent="$agent");
I've written a PHP/Mysql application for project management.
Unfortunately (because of my programmer-beginner-state) all buttons, which are used to open a input form (for editing several data) are sending parameters via URL.
E.g. if the user presses the button "EDIT PROJECT" the link edit_project.php?project_id=12345&mode=edit is called.
Which means the edit_project.php page receives it's parameters via $_GET.
If it would be only this single page and this single button it would be little effort to change the scripts.
But i have hundreds of buttons and many pages which are communication this dirty GET-way.
The problem: If i don't change the scripts, the user can manipulate the URL parameters manually.
So here's my question:
Does anybody have a trick / tip how to solve my problem with as less effort as possible? Is there a way to generally restrict URL param manipulation?
We cant stop the user from manipulating the URL.
However, you can check if the project_id belongs to the user and take actions accordingly.
$query = $mysqli->query("SELECT * FROM projects WHERE project_id='123'AND user_id='5'");
if(!$query){
// if project is not found with project_id=123 and user_id=5
// Redirect to a 404 page or something
header("Location: 404.php");
// if project belongs to the user and a record is found, script will continue
}
You can't prevent the user from sending you any GET or POST they like.
Anything that user sends you should be validated server-side anyway.
Especially in a scenario where you deal with user-privileges and rights.
Did user actually sent a number? Does he have the required rights to edit that? -etc.
It should really be a case of users rather using buttons because it's easier than learning the link parameters and possible combinations.
If they have all the rights and prefer editing URL over clicking a button - why not let them?
so I've hit a potential problem in my site....it's a post-based system, with the posts being in text files. Uses some Javascript and a lot of PHP.
When you make a submission on the form on the homepage, you are sent to a page where data is posted and processed, but you don't see it because you get redirected back. Then the homepage is changed based on what the post you made says. All that was working fine.
But now I'm trying to add a new feature that modifies the post you made, based on a button you hit which submits a hidden form using javascript, and sends to another process and redirect page you don't see, and it works fine until the block that I realized today. I don't know how to specify that the post being altered is the right one.
I anticipate a good amount of users of this site, so my concern is what if user X makes a post while user Y is making a post, and the post of user X becomes the top post, so user Y's options actually change user X's post.....
I was thinking of adding to the main processing page (the one that happens when you first submit) a COOKIE or something that would make note of the number of the line that post will become, by counting the number of the lines in that file at the time and adding 1 to it. Then checking it against the user's number (each user has a number) to see if it's that user's most recent post....but the problem is I don't know how I would pass that value around to be read in the next page.
Setting a COOKIE is out I think because the page both redirects, AND reads and writes to files. The only output to the page though are currently var_dumps.
POST/GET is out because to my knowledge the user would have to do SOMETHING to submit it, and the user's not even going to see the page.
Writing to a file would be messy if lots of users are trying to get their own data.
I think what I may be looking for is SESSION variables...but I don't know anything about those except that they're used to login to pages, and this site has no login.
To make things more fun, when a user posts the same content within a minute of another user, the first user's post is replaced and it gets a little +1 next to it...which makes it harder to check it against the user's number....
AND in the end I'm trying to use AJAX (which I dont know yet) to make the updates in real-time...now THAT is going to suck. But for now I'm worried about my static little site.
Baby steps.
Any ideas how to go about this??
Use Session variables, just as you have alluded. They aren't just used by login pages, they are used by everything. Sessions are the equivalent of server-side cookies / server-side storage, so you don't have to worry (as much) about your users tampering with them.
If you want to make life more difficult for yourself, you can json encode your variables and store them as an object in a database or even flat text file. But really, read up on sessions.
All you need to know is session_start(); before anything else then $_SESSION['var']=$yourvar; to save data and $_SESSION['yourvar'] to retrieve it later (such as on another page).
I just finished coding my first jquery ajax call page. It calls a php page every 1 or 2 seconds and returns json data.
The page basically displays posts of the message board the user is viewing. There are multiple message boards and some users should not be able to view certain boards, however the same php page is used for the call. It pics out the message using $id that is sent by the ajax script.
My question is how would I protect the php page from being manipulated and opened directly? The user can easily change the board id by opening the file directly and changing the URL. Not to mention the other ways.
If there is no easy way, then I guess I'd have to duplicate the majority of the main page to check if the user has necessary permissions. That would mean more server load since the page is updated every second.
Ajax calls are treated by server in the same way as normal page requests. All the authentication and authorization mechanisms are called before serving the page. To make sure just log off and try to get stuff from your page using AJAX. It should not work if your page requires you to log into the site.
In ajax script you can use $_SESSION too - you can check if current user has privilages to specified ID - if not - just deny access.
Save the permissions in a session and check if that certain flag is present?
If an AJAX call can open the page, so can the user, you cannot rely on definitive technique to protect a page. Rest you can follow what #TheVillageIdiot has said in his answer.
This is inside a PHP website form.
An example is like:
First page:
-Username:
-Password
Second page:
-Email
-[Checkbox]
Thirdpage:
-Contact Details
-Address
Fourth page:
Review all of the above forms in hard copy but with a back and forward command so that the user does not loose any information when switching between these pages.
Please post.
You could use cookies and do your own sessions with MySQL too. I like doing it like that because the data is easier to access if necessary.
Or you can pass the previous variables to the next page though hidden form elements.. but that can get messy.
You Have to use session. I like Zend_Session.
If you want users to be able to come back later and complete the form (assuming you have some kind of login system, or a way to recognize users), you could still save the data into a database. Make another table, temp_submissions. Keep data in it until the user completes the form and commits the data they send. Once committed, clear the data out of the temp_submissions folder and insert it into the "permanent" table. It may not be practical in this case, or total overkill, but it's an alternative to sessions and cookies.