Some way how "to prevent" user to modify url - php

In one page are multiple rows of records (information).
User can click link at the end of each row. Opens new page (popup) like host/pageaddress.php?id=777 777 is id of mysql row. In the new page I display information that is recorded in mysql with id 777.
If user wants, he can change 777 to any other number and gets displayed corresponding mysql row. Modifying id in such way user can access only table and rows which the user is allowed to access. And at the moment I do not know any security hole because of such modification (if someone knows, please, write).
But I do not like to allow user such modifications (feeling uncomfortable). When searched I found information, that I can not prevent user to modify. However know one website, where I can not modify url
Tried to write something in address bar and i can not. I do not know why (maybe because of https?)
So at the moment think of following solution.
At main page create $_SESSION['display'] = 'something';
In new popup page
if(isset($_SESSION['display'])){
echo ' content';
}
Then at the bottom of page unset($_SESSION['display']);
So if user modify url, page reloads and there is $_SESSION['display'] is not set. So no content.
Please, advice if such solution is ok? Some better solution?
Update
The above mentioned solution appears useless. But if to think regarding solution, here one another:
1) At main page create hash, and name for example $hash
2) $_SESSION['display'] = $hash;
3) record $hash in mysql
4) in new popup window (file) check if `$_SESSION['display']' exists and is equal to hash in mysql. At the end of page unset hash and delete from mysql
This is just to think about possible solution... does it work?

If user wants, he can change 777 to any other number
Yes. There is absolutely no way to control what the user instructs their browser to ask your server for.
and gets displayed corresponding mysql row.
If you only want some rows to be available to the user, then authenticate that user and check if they are authorised to view that row.
For example, some pesudo-code:
if user is not logged in
provide login page
else
if user id matches row's owner id field
provide data
else
provide error message
However know one website, where I can not modify url
That's what happens when you open a popup window and tell it not to show the toolbar. It doesn't provide any security because the user can still copy the URL into a new window and modify it as much as they like.
So if user modify url, page reloads and there is $_SESSION['display'] is not set
That just means they have to copy the URL into a new window between the time they visit the main page and the time they click on whatever triggers the popup.
It's annoying and twiddly, but not secure.

Related

restrict users directly redirecting to another page by editing url

I'm developing a simple web application, where users can edit their post by clicking the edit link.
where user is in the profile.php when user click on the edit post link which located on same page then it redirect to editpost.php?edit=4, the id post of 4 is allow user to edit.
problem: when user mess with the url by editing as editpost.php, then how can we not allow the user to editpost.php
by simply entering in the address bar by user
These are the most simple things I think that you can do to improve your pages:
Authorization: check the user privilege at the beginning of your script. Users won't able to edit posts that they do not have editing permissions.
Unique random IDs: instead of showing the auto-increment ID (which is easy to guess), you can create another string column in the database and assign a random unique ID for each post. In your script, query the database based on that unique column instead of the primary id column. If a user is on edit.php?uid=abz-723-random, he/she won't able to guess the next available id to try.
Some types of tokens can be used, too. However, using token prevent a user from refreshing pages/sharing page easily. If you have little experience in working with tokens, I recommend against them.
First change your Edit post url
editpost.php?=edit=4
to
editpost.php?edit=4
then use Get method to grab edit post id or number for example
$editpostid=$_GET['edit'];
after that run your mysqli query with condition where id='$editpostid'
. Let me know if you don't understand

Create a page that shows a user which pages they have been to using PHP

I was wondering if there was a way to create a page on my website that would allow for a user to view the pages in the website that they have been to. I have searched around to see if I could find a hint to where I could start from, but I came up empty. I have already coded a system where a user can sign up and log in, I just need a way so that they can track where they have been. Thanks
I won't go into full detail, as I cannot comment to ask how you would prefer, but an example using sessions would be such;
At the start of each page, you could do something as follows;
session_start();
array_push($_SESSION['pages'], "`You would put a user-friendly page name here`");
Or alternatively;
session_start();
array_push($_SESSION['pages'], __FILE__);
The above would store each page the user visits in a session named pages. If you wanted to, for say, receive the last five visited pages, you could then do something as such;
array_slice($_SESSION['pages'], -5);
Although this wouldn't be the most efficient and/or is just basic, it is the bedrock in which you could expand upon.
Another idea would be to log the page visits to a database. You could have a table names page_views or similar with id, user identifier and page as the columns, then following the above example to 'log' the page views to the database. You could then select from the database and limit to the last 5 records matching the user identifier, therefor receiving the five latest logged pages.

Detecting page reload after clicking back button in PHP

I am looking for a way to detect when a page is reloaded after clicking the back button, so I can selectively ignore errors. Let me explain why:
Imagine a page that displays some data, identified by an id:
/show/some/data?id=5
Initially, the id exists and the page is displayed. If the id does not exist, an error message is shown and an error is logged, because that should not happen and would indicate a broken link in the application.
Now imagine the user looks at the data, decides to delete it, and after deleting, uses the back button to go to the same page again (BTW this is not a hypothetical, I have seen this in my application). Now, the id is no longer valid, triggering an error. If I could distinguish between the initial page load and the second page load after using the back button, I could be more lenient in my error handling. My reasoning being that a broken (forward) link in the application is a fatal error. A broken link after clicking back (when there was none initially) is very likely caused by some action the user took in the meantime. In that case I would much rather redirect the user to an overview page than show an application error.
I believe one way to solve this would be to attach some randomly generated id to the url:
/show/some/data?id=5&rnd=<?php print rand(); ?>
and log the random ids that have been used in the session. If an id repeats itself, I can assume that the page has been reloaded, and selectively ignore some errors.
However, that would require altering many links in the application. I could also use javascript/jQuery to alter all links on the page to the same effect:
$("a").attr('href', function (i, h) {
return h + (h.indexOf('?') != -1 ? "&" : "?") + "rnd=" + Math.random ();
});
That's slightly less invasive, but still rather heavy handed for solving such a seemingly trivial problem. I wonder if there is or can be a self-contained way to do this. Is there any way for the backend application to distinguish if a page is loaded by forward clicking on a link or reloaded after clicking back? Or is there a more elegant solution with javascript?
There's no perfect solution for this since you're trying to (sort of) change a browser's behaviour. The simplest idea I can think of is setting a session variable with a list of deleted pages, and pushing the page IDs into it on the delete page.
Then, you need to update your error handler to additionally check for the presence of the requested page ID in the deleted pages list. That way you won't have to mess with URLs at all.
Here's an example flow:
user requests page id 1
app checks the db, it doesn't exist
app checks the session, it's not in the deleted pages list
error message shown, error logged on the server
user requests page id 2
app checks the db, it exists, show the page to the user
user clicks the delete button
ID of the page is added to the session list of deleted page and the page is deleted
user goes back (or types the url manually, this is a bonus feature)
app checks the db, id 2 doesn't exist
app checks the session, id 2 IS in the deleted pages list
error message shown, no errors logged
You can also take this one step further and track all the visited pages, so you'll know that if something was there a few minutes ago, and now it isn't, the user must have deleted it. This would allow you to handle more such events if needed.

How to limit a user to one visit on a single page?

Hello Guys i hate asking stupid questions here so i hope this isn't, How would i go about limiting someone to a download page of mine? so if they try to visit that page again (more then once) to download something it will just redirect or preferably change the download links to link 2 then Link 3 and is it possible to do without a database?
Eg:
First Visit - main link
Second Visit- link 2
third Visit- link 3
4 and up Visit no link and redirect
Maybe with cookies? i really i have no idea how to do it and i have Googled it but my wording must not be there...
Is there a name for this or a script?
Thanks for your time Guys.
A.
The best method to achieve the desired goal is database. Create a database table that contains two columns :
(1)Page Visitors IP
(2)The Last Download link used by the visitor to download
file(contents) from your website.
B.
You can too achieve your goal with the help of COOKIE.
setcookie("Visitor IP", "Download Link used by the Visitor", $expire);
Everytime, visitors visit your website, fetch the visitor IP and check whether $_COOKIE["Visitor IP"] is set or not, if its set, then update the existing Cookie else create the new one.
However, using Cookie is not a convenient way, as there might be a case where
Browser does NOT Support Cookies.
Client alter the Cookies value and use the previous link for download.
So, most simplest and elegant way to do it is, using Database.
UPD:
*How easy is it to code/setup a database?*
Setting up/Connecting to a database in php is pretty easy.
Refer the following LINK
Coding is pretty easy as well.
-Whenever the visitor click on the download link, fetch Visitors IP ($fetched_IP) by either POST or GET method. Also fetch the Link ($URL) visitor has clicked.
-Query the database [eg: Select DB_IP,LASTLINK from database WHERE DB_IP=$fetched_IP.....]
-If RowCount>0, then IP($fetched_IP) exists in database. Check the Last Link visited by the $fetched_IP.
-If LASTLINK!=$URL, then allow him download the content from $URL.Update the LAST_LINK column in database table by $URL.
-If rowcount==0,(New User) Insert a row that contains DB_IP=$fetched_IP(Visitor IP) and LAST_LINK=$URL.
An easy was is to use a hash table (associative array). When they satisfy the criteria to access the file, add an entry to the hash table using the the unique url as the key and the document path as the value. Save it to the session. When they access the url the page checks to see if the url is in the hash table. If it is, remove the url from the hash table and stream the file. If you wanted to allow multiple uses, you could store a countdown variable along with the url, that will decrement with every access and only delete the url from the hash table when the count is zero.

User login session when script sent from external site

I’m working on a bookmarklet solution with similar functionality as Instapaper (bookmarklet functionality that is, not site functionality).
For my first bookmarklet version I sent the user to mysite.com/add.php?url=[url], which then did what I wanted to do (added url to the database, etc) in the backend as long as the user was logged on to my site since before (session kept alive using cookies). The user then had to press a back button to return to the original site. This worked as intended.
Now I want to let the user remain on the original site (as the instapaper bookmarklet does) while I do the backend stuff in the background, therefore:
- The bookmarklet now appends a javascript function to the original site
- The javascript uses a form and submits the URL to mysite.com/add.php with url as a variable (add.php is unchanged)
- I output status from add.php into an iframe that appears on the orignal site
This works so far that the url is sent to add.php, while the user remains on the original site, and the status is printed in the iframe I temporarily display on the original site.
However, from the scripts point of view the user no longer appears to be logged on, even if he/she is when mysite.com is accessed directly. I’m using this login system (http://www.evolt.org/node/60384).
Can you point me in the right direction? Let me know if you need more info.
Thanks
Since I get this to work in IE, but not in Firefox or Chrome, I'm leaning at the conclusion that it's due to the browsers security precautions, and that I won't get it to work by only using php session.
I've therefore come up with an alternative solution to what I want to achieve, that I want to run by you.
Please comment:
1) When a user register at my site, I create a random unique static identifier (RUSI) for that user (i.e. not the username or hashed pwd)
2) I append this RUSI to the bookmarklet code (meaning the bookmarklet can only be added while the user is logged in to my site)
3) When the user press the bookmarklet, my script checks what username the RUSI corresponds to, and checks if that username is in my active_user table (that consists of all logged in uers)
4) If the username exists in the active_user table, then the bookmarklet does what it supposed to do, otherwise i print "please login" or similar.
As said, please comment on this solution, as I have a hard time figuring out if this is a good or really bad approach. The obvious down side is of course that a user who finds out another users RUSI can execute the script on his/her behalf as long as he/she is logged in.
Thanks.

Categories