Welcome Guest, Not a member yet? Register   Sign In
security problem with GET

My website allows user accounts, and users can upload and delete images. For deleting an image this js is called:

xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "<?php echo base_url(); ?>index.php/controller/method?id=" + id, true);

The problem is, I can manually load


and I could delete another user's image.

What is the correct way of fixing this issue?

You can change it to a POST request (which will still have security issues).

You need to do verification inside of the delete method to verify that

a) they have permission to delete images, and
b) they "own" that image, or belong to a role that has permission to do it.

That way people can't randomly delete stranger's photos.

Make sure the image belong to current user else return false. 'Images' mean user can upload many images? And do you store image info's into specific table? Add user_id field into table that store image info to indicate that this image belong to specific user.
Keep calm.

Thanks for the answers! Since the POST wouldn't solve the security issue I didn't change the GET, but added user validation in the delete method.

Theme © iAndrew 2016 - Forum software by © MyBB