csrf protection for direct URL? |
[eluser]cyberjunkie[/eluser]
I know that csrf protection can be enabled for submitting data via forms but what about direct URL? For instance, I'm allowing user-to-user subscriptions on my site. A controller named subscribe handles that. When subscribing, I add 2 URL segments to the controller class. e.g. Quote:http://www.mysite.com/subscribe/add_user/234 In my controller subscribe, the function add_user($user_id) captures the 3rd URL segment that is the user id I am subscribing to and add that to my database table. The issue is that I can go to the URL from anywhere and subscribe, unlike using a form. I know that I can use a form but for simplicity I want just a url. What methods can I implement with CI for security when inserting data in the database from a URL segement?
[eluser]Eric Barnes[/eluser]
The best advice is never insert, edit, or delete from a get request because as you know it can be loaded with no validation. Other than that I say you use a form to subscribe them or do a whole bunch of security checks on the id passed.
[eluser]cyberjunkie[/eluser]
Thanks Eric. I guess I would have to add a hidden input with the value. Would adding a URL segment in the form action URL be ok rather than direct link? Considering that it's csrf protected.
[eluser]fesweb[/eluser]
To keep people from accessing other urls just by changing the ID, I add an hashed segment on the end of links. Code: http://www.mysite.com/subscribe/add_user/234 Code: function hashomatic($str)
[eluser]cyberjunkie[/eluser]
Thanks for sharing that Fesweb! CI should definitely have a similar function. |
Welcome Guest, Not a member yet? Register Sign In |