+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: security problem with GET (/showthread.php?tid=63628)
security problem with GET - ronaldv - 11-20-2015
My website allows user accounts, and users can upload and delete images. For deleting an image this js is called:
Code:
xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "<?php echo base_url(); ?>index.php/controller/method?id=" + id, true);
xmlhttp.send();The problem is, I can manually load
domain.com/index.php/controller/method?id=xx
and I could delete another user's image.
What is the correct way of fixing this issue?
RE: security problem with GET - kilishan - 11-20-2015
You can change it to a POST request (which will still have security issues).
You need to do verification inside of the delete method to verify that
a) they have permission to delete images, and
b) they "own" that image, or belong to a role that has permission to do it.
That way people can't randomly delete stranger's photos.
RE: security problem with GET - arma7x - 11-20-2015
Make sure the image belong to current user else return false. 'Images' mean user can upload many images? And do you store image info's into specific table? Add user_id field into table that store image info to indicate that this image belong to specific user.
RE: security problem with GET - ronaldv - 11-21-2015
Thanks for the answers! Since the POST wouldn't solve the security issue I didn't change the GET, but added user validation in the delete method.