Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming A method like uri_segments but with parameter
A method like uri_segments but with parameter
  • El Forum
    Guest
  •  
#11
01-30-2009, 10:57 PM

[eluser]JaRoLLz[/eluser]
[quote author="Michael Wales" date="1233395203"]
Quote:Indeed my delete method is very dangerous. However, the controller that contains the delete method has an authentication mechanism written in the constructor. So a simple call like that will not do anything.

I don't know how that would prevent anything... if you go login to your site, and you are an admin there (full rights), and your session lasts 2 hours. Now, you go visit my blog, within those 2 hours - your user table is wiped out.

You need to switch this to a POST request, as well as include a nonce within that request that is validated within the form processor. Otherwise you are opening a huge security hole...[/quote]

After thinking for a while, this hole is exploitable if a full-rights user accidentally execute that code. I don't read your post carefully the first time. Changing to post method using hidden form now.

Code:
<form method='post' action='<?php echo site_url('users/delete_user') ?>'>
  <input type='hidden' name='notmalicious' value='imnot'>
  <input type='hidden' name='userdbid' value='<?php echo $udata['id'] ?>'>
</form>
  • El Forum
    Guest
  •  
#12
01-30-2009, 11:01 PM

[eluser]Michael Wales[/eluser]
Code:
<input type='hidden' name='notmalicious' value='imnot'>

You are off to a decent start here - at least understanding the concept. Unfortunately, you are using this same value every single time. All I have to do is view the source of your site once, and I will always know how to convince your site that my requests are notmalicious (by passing 'imnot') to it.

So, think on that for a bit - how would you go about making that value change everytime the page is loaded, but still know if it's valid or not within the form processor.

Hint: My blog has the answer in at least 2 of the CodeIgniter Advent articles.
  • El Forum
    Guest
  •  
#13
01-31-2009, 05:56 PM

[eluser]JaRoLLz[/eluser]
Hmm, I generate random number everytime a user logs in. Then store that number in a session. So for that current session, the correct 'password' is that generated random number. I think that's the easiest way.

Currently reading your ci advent articles...




Theme © iAndrew 2016 - Forum software by © MyBB