I'm building a php website with lots of jquery / ajax. Basically the site is a simple blog and I display the last 10 database entries and their corresponding headlines on the front page. The user is then able to click a headline (where it's rerouted to site.com/blog?cid=76) and then view the full blog entry.
basically, is there any database security risk with displaying the 76 which corresponds to the blog_id in the database? Should I be making things more secure and if so how would I go about doing that?
There is no security issue.
It is similar to telling us what id this post has:
stackoverflow.com/questions/11379226/hiding-table-ids-in-a-website
All it does is tell the user which post it is.
The way you implemented it forces you to pass the id of the blog entry anyway: be it in POST or in a GET request. If the application is secure enough there shouldn't be a problem with passing the id. The only thing you could do would be to make the id a little bit more obscurely passed in the GET request:
Something like: site.com/blogs/disp/76 for instance
Yes there are risks. You need to know about und understand SQL injection. PHP offers a couple of methods that you can use to help prevent this type of attack.
This site offers a good explanation of SQL injection and methods to help prevent it:
http://rosstanner.co.uk/2012/01/php-mysql-preventing-mysql-injection/
Related
Fellow collegues
I tried to implement a simple button inside a Joomla article to see which registered users have read an article and which didn't. I failed miserably, since my knowledge about PHP is honestly too low.
It should be possible to have a reading confirmation button on selected articles, so that the superior can check who has already read important information and who has not.
I was thinking of using php for getting the articleid, userid and a read field to construct a table in MySQLi, and depending on whether it is read or not, read will be either true or false.
the table is constructed already, but filling in the right information really leaves me hanging.
Now Problems occuring:
To fill in every user for each article which should've been confirmed automatically is impossible for me. I know that i can get a users username with the command
$user = JFactory::getUser();
but i dont want to get the current user. It should provide an overview of which users have read the article and which didn't.
I'm really lost in code fragments and I'm having trouble understanding what I could benefit from.
I've already used the search function and this topic already came up several times, but still it seemed to me that it hasn't been answered properly yet.
Has anyone done something similar in Joomla before and could give me a hint on how to get this done?
Or does anyone know an extension which could handle the problem?
Any clarifying statements are warmly welcomed!
Greetings
Capo
The best way to handle this is to use ajax, specifically, the com_ajax Joomla component. It's not as hard as you might think, and we have written a step by step guide on how to use the Joomla ajax component here.
Essentially, you will need to create a button, which, when clicked, will send an ajax request to the server and update a table. The table that should be updated should be a custom table, containing the following fields: id, userid, contentid
The id field will be an autoincrement, the userid will be the ID of the user who read the article, and the contentid will be the ID of the article that the user has read.
Once you have the data in the table, you can then display it anyway you like!
I orignally posted asking how I can store a users facebook profile link, to use it on a profile page that I was creating on my website and didn't really get much of a response. After spending a lot of time I have a system in place that I feel should work but doesn't.
I'm not entirely comfortable with AJAX yet and have tried adapting code from Adam Khoury's Web Intersect 2.0 series to suit my project.
I've pasted my code over at Pastebin http://pastebin.com/u/lil_bugga test2.php being my main form with the Ajax and link_checker.php being my include file. Can someone help me to get this code working properly.
Its meant to take the user input, sanitize it and return 1 of 4 different result that I can then use to display appropriate messages to the user. The code seems to work fine until after the following line in test2.php
alert(params.join("&"));
Below is my orignal question for any interested parties.
"How can I safely collect and store links supplied by a site visitor as part of their profile, if they wish to provide it.
I know I don't want to store it without sanitization of some form but I would assume using something like the snippet below would leave me vulnerable to attack.
$username = preg_replace('#[^a-z0-9_/:]#i'
I also want to compare the supplied links against a url list i.e:
http:// www.facebook.com/userprofile
www.facebook.com/1234567890
Whats the best option here, as some people may submit with HTTP:// others with just WWW. and some even just facebook.com/ and then theres the (userprofile) name or the user id (1234567890)"
I haven't officially started learning PHP, just skimming through a couple tutorials and I have a question. Why would some one choose to use Get vs Post? Why would you ever want the data shown in the url bar? I understand post is used for passwords and important info but I don't understand why you would use get instead of just post all the time?
Thanks for any insight.
$_GET is useful for pages where users are requesting data - such as a search page, and pages that a user might want to bookmark and share with others. Actions that should be readonly.
$_POST is useful for pages where users are "posting" data - such as a signup form. $_POST should be used when you don't want your visitors to be able to bookmark page. Actions that write data.
As prodigitalson added: you may use $_POST or $_GET for any operation, but it is good practice to use them as described above.
If you want people to be able to share the link with their friends...for eg http://example.com/products.php?product_id=12
GET requests are idempotent. POST requests change server state.
This is an HTTP question, not a PHP question.
are you planning to fill your website with forms and buttons on each link?? every link you see in this site is sending GET variables.. maybe your question is related to the "method" attribute in a form, if that's the case, well 90% of the cases post is a better choice
dont worry about the security :) just because you dont see the information in the navigation bar doesnt mean that its secured, watching the information sent by post is only two clicks away ;)
Some times you have to pass params(data) to a script without form submit OR want to share that script to someone. In that case $_GET is useful.
GET method may result in long URLs, and may even exceed some browser and server limits on URL length.
GET can be used for multiply reasons..
If you want to share a URL with your friend, like http://site.com/share.php?id=123 <- Often used.
Its often used to do dynamic actions.
POST is often used when sensetive information should not be shared.
You can look it up on google to learn more =)
I was just exploring Phorum for my website. I already have a separate log in system associated with the main website, which I was hoping to be able to carry over to Phorum, so people don't have to sign up twice.
I saw the way to hook in a SQL database through include/db/config.php, but there seems to be no good documentation on what's going to be carried in the table I set it to. Will is just be username/password?
Assuming it is, is there a way I can have it so if you signed in on my site, you don't have to re sign in for phorum? Even just a link pointing in the right direction would be outstanding. Thanks!
You could modify your site to use the Phorum database and user registration system. This would be the best way to do it. You could write a small SQL import script for your existing users and then just link to the phorum rego page from your site.
If you are not keen on taking this approach, you'd need to update both user tables (yours and phorums) when data was changed / inserted. Also you'd both need to use the same cookie.
Does that help?
Lets say I have a website with links to various books on my main page.
<a href='books.php?id=1'>Book 1</a>
<a href='books.php?id=2'>Book 2</a>
<a href='books.php?id=4'>Book 3</a>
Books 1-3 are in my system, however id=3 is apart of another catelog that I'm not showing or authorizing through this section of the site. So if a user clicked on Book 3, then changed the id=4 to id=3, they could simply pull up the record (assuming I don't have proper session checking).
Is there a good way to obscure the get id that you're passing when trying to pull a specific record? it seems by passing just the id would be easy to request pages that, without proper querying and session checking, you would be able to get another result.
Is there a better way to do this?
Cheers
You need to always, always, check that user is able to access the page. That is the only way to verify that you don't show wrong data, because someone can always modify the link they are going to, even if you somehow hide it.
There is just no escaping it. You always need to verify that the record can be accessed.
You probably could hash your id or something using md5 or whatever to make it harder to manually enter, but that's really not a good idea.
What you should do is to implement server side security in your books.php script that will prevent users from unauthorized access. That's the only thing that will keep your site secure.
Just check id if it is allowable to display or not.
With get's a good practice is when you check whatever parameters you may have.
just thinking out loud:
you can make a column in your book mysql table saying "visible" ... or userlevel in your users tables.
do a php function or if statement that:
if (user is not in user_level) // user is not allowed to see everything
{
redirect to previous page;
}
else if (user is in user_level) // user is allowed to see everything
{
display all items;
}
You definitely need to check whether the user is allowed to view the page.
But, what if you separated the ids for the different catalogs? URL's could look like books.php?cat=foo&id=1. That wouldn't necessarily make things any more secure, but it would prevent people from accidentally finding the wrong pages and organize things a little better.