Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Anyone validating URLS passed to your app???
Anyone validating URLS passed to your app???
  • El Forum
    Guest
  •  
#1
11-05-2008, 04:56 AM

[eluser]mindprojects[/eluser]
Hi guys!
I was wondering if anyone has used before some kind of url validation in a web app,as such as appliying an md5 string to the url to validate the url itself avoiding a user to modify it hand by hand.

Suppose we are editing a post(id is 10) belonging to a user 'Pippo' passing the url:

http://myapp/post/edit/10;

I want to avoid that a user can modify this url appending the id of another user post.
Obviously i should che it in my edit function,if the user can edit this post,but,why not appending an md5 string to the url itself,where the md5 = md5(uri string + my secret)?

The result url would be:
http://myapp/post/edit/10/mdf3fef443fwerw....(32chars)

Is it a good idea?
Thanks guys,any suggestion?
  • El Forum
    Guest
  •  
#2
11-05-2008, 06:14 AM

[eluser]Référencement Google[/eluser]
I don't really see the need of doing this.

First of, accessing an edit post url should be only possible in a secured environement, only once the user is already logged in.

Then what I usually do too is unsure the edited post belongs to the concerned user by querying the DB with the logged in user ID before letting him edit. I additionally unsure the ID is numerical and exists in the post table. With all that I am almost sure I won't have problems.
  • El Forum
    Guest
  •  
#3
11-05-2008, 06:39 AM

[eluser]obiron2[/eluser]
I agree entirely.

When your URL contains elements that direct to restricted pages, you need to validate that:

a) The user is logged in
b) The user has access to the specified module (controller/method)
c) that the user that is logged in matches the user credentials passed in the URL.

I am busy implementing FREAKAUTH into a dev site at the moment with redirect to the log in page and pass through to the requested page (storing the requested URL in the session cookie) if log in is successful and credentials match.

the only time I have used any sort of encryption in a URL was when I had an interactive website (poker clock) that did lots of client side processing but needed to send a large amount of data (to re-organise players at tables) back to CI and redisplay the infomation using ajax. To this end, I took the tables collection object (tables->table->players->player) and serialised the object and then used the javascript urlencode() to send the serialised object back to CI as a single URL segment, where I then unencoded it and unserialized it so that I could update the database and send the ajax request back to the client.
  • El Forum
    Guest
  •  
#4
11-05-2008, 07:56 AM

[eluser]mindprojects[/eluser]
Thanks guys,this was what i was expecting to hear from you.
Sometimes things seem to be more difficult than they are,expecially when it's a deep programming period.

Thanks
Marco




Theme © iAndrew 2016 - Forum software by © MyBB