Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Hackable URLs
Hackable URLs
  • El Forum
    Unregistered
  •  
#1
05-06-2008, 01:19 AM

[eluser]The Mask[/eluser]
Hi,
I am quite new to CodeIgniter and was after some guidance on what to pass on the URL. I don't want to make my URLs hackable so should all IDs be posted in a form and just use URLs for methods.
Any comments/advice welcome.
Cheers
  • El Forum
    Unregistered
  •  
#2
05-06-2008, 02:00 AM

[eluser]matthewr[/eluser]
This depends on how valuable your IDs are. If a person can break your system by just knowing an ID then yes you should hide it. But generally, this shouldn't be the case. If your system is that easy to break then it's not very secure. Making IDs public, in most cases shouldn't be much of a security threat. But this does not apply to all cases. Best thing to do here is validation, check if the IDs the user is passing is correct and such.
  • El Forum
    Unregistered
  •  
#3
05-06-2008, 02:06 AM

[eluser]gtech[/eluser]
To add to what matthewr said, you could also have some form of user authentication, like a login screen and then store the user credentials in a session. This means when an id is passed through you can check that a user has the correct permissions to change/view data.
  • El Forum
    Unregistered
  •  
#4
05-06-2008, 03:08 AM

[eluser]nmweb[/eluser]
$_POST is just as easy to manipulate as $_GET (or anything else in the URL). Do not trust on $_POST to be more secure.
  • El Forum
    Unregistered
  •  
#5
05-06-2008, 05:46 AM

[eluser]Vince Stross[/eluser]
For me it always boils down to validating every $_POST. For instance, I always check the one condition that always seems to be there that would make it impossible for someone to get anywhere from fishing IDs. I only have database IDs in the URL in the backoffice area where you can usually assume the admin of the site has no reason to want to break something.

Otherwise, follow the lead of the blogging platforms using slugs and such to refer to a database row using an alphanumeric, URL friendly value. Code igniter has a function that will convert a string value for instance, "Mike's Home Page" into "mikes_home_page" for you to save as a seperate column in your database. This way you can lookup on that value (if you have a large table you may want to index this column as well) when using a URL to find a database row. This also permits much more search friendly sites because you can add the ".html" on the end for links, etc.

Have Fun!




Theme © iAndrew 2016 - Forum software by © MyBB