Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security - Concerns - Query Strings 1

Status
Not open for further replies.
Trancemission

Trancemission

Technical User
Oct 16, 2001
108
GB
I am currently creating a little Auth script for my Password database.

I have started to use cookies to track the users and make sure thay have authentication to access the path.

I am worried about people manipulating query strings:

my cookie stores an access level the user has ($auth_level)

I can change my access level by appending ?auth_level=mylevel to the query string.

ANybody have a tip how to get round this.

I am thinking I might have to use a Class to contain the users level just a bit unsure.

Many Thanks

Trancemission Trancemission
=============
If it's logical, it'll work!
 
Sort by date Sort by votes
It's because of PHP's runtime configuration directive "register_globals". From your behavior, it must be set to "on".

When register_globals is set to "on", then the elemements of the $_POST, $_GET, $_SESSION, and other superglobal variables are re-instantiated at scalar variables. For example, $_GET['auth_level'] is also instantiated as $auth_level.

I recommend for several reasons leaving register_globals set to "off". The manual (at says that this is a good idea, and "off" is now the default setting.

Even if you don't set it to off, access the value as $_SESSION['auth_level']. Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
Thx for your replies but I am not sure if you understand my query.

I have an authentication script which set's a cookie (auth_loggedin) to a value of 1 once the user has sucesfully logged in.

I then wish to athenticate this user on another page.

I am checking the value auth_loggedin.

My problem is I can simply appened the value
?auth_loggedin=1 to the Url and my check will also work.

Cheers

Trancemission Trancemission
=============
If it's logical, it'll work!
 
Upvote 0 Downvote
So what you're saying is that your script uses the query string, and therein lies your problems.

Use session variables, or re-read the cookie on the next page. Personally I'd say session variables.

-Rob
 
Upvote 0 Downvote
If you are worried about security, lose the authentication level cookie variable. If a user pokes their nose into the cookie data, they may be able to tweak the value to one step higher and gain access to your site's dirty picture area (or whatever noble purpose your site serves).

As noted, sessions are useful here.

Instead of using '0' and '1' which can be easily figured out, make access values like $auth_level='p3i6g4' so that the other levels cannot be easily guessed. This is essentially a password. Do not make it easy to fool.
 
Upvote 0 Downvote
Okay,

Currently going to test with session variables .

Forget about my scripts, my query is:

What happens with PHP if a cookie has the same name has an element on _some form_. On the next page (where the form is processed) what is stored in the variable? Trancemission
=============
If it's logical, it'll work!
 
Upvote 0 Downvote
Here's my test code. test_values.php sets a cookie and outputs the HTML necessary to produce a form which is submitted to test_values2.php.

test_values.php:
Code: 
<?php
setcookie ('foo', &quot;bar&quot;);

print '
<html>
	<body>
		<form method=&quot;POST&quot; action=&quot;test_values2.php&quot;>
			<input type=&quot;text&quot; name=&quot;foo&quot;>
			<input type=&quot;submit&quot;>
		</form>
	</body>
</html>';
?>

test_values2.php
Code: 
<?php
print '<pre>';

print &quot;Cookies:\n&quot;;
print_r ($_COOKIE);

print &quot;\nPosts:\n&quot;;
print_r ($_POST);

print &quot;\n\$foo=\&quot;$foo\&quot;&quot;;
?>

If I point my browser to test_values.php, enter &quot;test&quot; in the field and submit, here is my return:

Code: 
Cookies:
Array
(
    [foo] => bar
)
Posts:
Array
(
    [foo] => test
)
$foo=&quot;bar&quot;

On my system (PHP 4.3.0), the cookie value supersedes the form value.

But notice that I can reference both values by ignoring the registered global variables and using $_POST['foo'] and $_COOKIE['foo']. This is yet another reason to use the superglobals rather than depending on registered globals. Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
Many thanks sleipnir214, you have cleared up my query :)


Cheers Trancemission
=============
If it's logical, it'll work!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Rutsagig
  • Locked
  • Question
mysql_insert_id returns 0 after SELECT query
Replies
0
Views
324
Rutsagig
Rutsagig
BobMCT
  • Locked
  • Question
Rehash of escaping strings to/from mysql/mariadb?
Replies
1
Views
330
vacunita
vacunita
rogerte
  • Locked
  • Question
SELECT Query works in phpMyAdmin but not in PHP program 1
Replies
4
Views
655
spamjim
spamjim
cmayo
  • Locked
  • Question
PHP Comparing Base 64 strings
Replies
10
Views
904
Olaf Doschke
Olaf Doschke
aa__live
  • Locked
  • Question
php loading modules query 2
2
Replies
39
Views
1K
aa__live
aa__live

Part and Inventory Search

Sponsor

Back
Top