CodeIgniter Forums

Full Version: security problem with GET
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
My website allows user accounts, and users can upload and delete images. For deleting an image this js is called:

Code:
xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "<?php echo base_url(); ?>index.php/controller/method?id=" + id, true);
xmlhttp.send();

The problem is, I can manually load

domain.com/index.php/controller/method?id=xx

and I could delete another user's image.

What is the correct way of fixing this issue?
You can change it to a POST request (which will still have security issues).

You need to do verification inside of the delete method to verify that

a) they have permission to delete images, and
b) they "own" that image, or belong to a role that has permission to do it.

That way people can't randomly delete stranger's photos.
Make sure the image belong to current user else return false. 'Images' mean user can upload many images? And do you store image info's into specific table? Add user_id field into table that store image info to indicate that this image belong to specific user.
Thanks for the answers! Since the POST wouldn't solve the security issue I didn't change the GET, but added user validation in the delete method.