security problem with GET - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: security problem with GET (/showthread.php?tid=63628) |
security problem with GET - ronaldv - 11-20-2015 My website allows user accounts, and users can upload and delete images. For deleting an image this js is called: Code: xmlhttp = new XMLHttpRequest(); The problem is, I can manually load domain.com/index.php/controller/method?id=xx and I could delete another user's image. What is the correct way of fixing this issue? RE: security problem with GET - kilishan - 11-20-2015 You can change it to a POST request (which will still have security issues). You need to do verification inside of the delete method to verify that a) they have permission to delete images, and b) they "own" that image, or belong to a role that has permission to do it. That way people can't randomly delete stranger's photos. RE: security problem with GET - arma7x - 11-20-2015 Make sure the image belong to current user else return false. 'Images' mean user can upload many images? And do you store image info's into specific table? Add user_id field into table that store image info to indicate that this image belong to specific user. RE: security problem with GET - ronaldv - 11-21-2015 Thanks for the answers! Since the POST wouldn't solve the security issue I didn't change the GET, but added user validation in the delete method. |