• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What can stop a user from manually typing in a function name in URL?

#1
[eluser]incog03[/eluser]
My site doesn't use sessions and is a forum type website, Kinda like this forum. Anywho, there's actually nothing stopping someone from typing in the preview URL which includes a specific thread/post number in the url. If a user were to do this they'd be able to manipulate any post in the entire forum.

For example;
This is the post someone has made.
Code:
http://localhost/imageforum/imageController/carpost/80

To post something, the user needs to preview it first, but the item is already placed into the database (but unactivated & unviewable until the user posts it)
The preview page would be;
Code:
http://localhost/imageforum/imageController/preview/80

The preview page - like this codeigniter website, has the option of allowing the user to modify the post (ie. update the database), or posting it as is.


What stops any user from typing in
Code:
http://localhost/imageforum/imageController/preview/23
or
Code:
http://localhost/imageforum/imageController/preview/421
etc etc and changing any post as they see fit???

#2
[eluser]jmadsen[/eluser]
you write code to stop them from do it.

just like, if they type:

http://www.mysite.com/admin/delete/users/all

it probably won't happen, because you've checked to see if they are logged in, are an admin, and have the Delete all users rights

#3
[eluser]incog03[/eluser]
But how do you stop people if you're not using sessions?

#4
[eluser]danmontgomery[/eluser]
http://ellislab.com/codeigniter/user-gui...llers.html

Quote:In some cases you may want certain functions hidden from public access. To make a function private...

#5
[eluser]incog03[/eluser]
[quote author="noctrum" date="1310067270"]http://ellislab.com/codeigniter/user-gui...llers.html

Quote:In some cases you may want certain functions hidden from public access. To make a function private...
[/quote]

I was actually looking into private functions before I posted this thread. While your input is appreciated, without any sort of example, your post isn't very helpful...

While I was attempting to utilise private functions, it would actually stop the preview page from loading if I manually entered the address in the URL, it would also prevent my controller from accessing the function as well...

#6
[eluser]mbrzuzy[/eluser]
You could check to see if the IP of the user accessing the preview matches the IP of the author, but that's not really a good method since IPs can change.

Why not just use sessions and compare the userid with the userid of the author?

#7
[eluser]Amitabh Roy[/eluser]
Not just the post id, you can pass another parameter which is essentially hash

Code:
http://localhost/imageforum/imageController/preview/23/wskl2347sd34545t324


In the page/controller you are generating the links you can set a cookie for the hash.
In the controller for preview you can check for the cookie value.
You can generate new hash every time the page containing the links to the post is rendered.


Now if you have several posts its up to you to devise a mechanism to use single hash for all the links for the current page generation or use different hashes for different links.

The way we do it for activation via email. ;-P


Cookie is just one of the scheme of validation to prevent direct access, other more refined methods can be definitely implemented.

#8
[eluser]predat0r[/eluser]
Store the user_id in the post. And check if the logged in user_id is the same as the post's user_id. I guess you use authentication


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.