MSosnovski
Posts: 8
|
| Posted: 04/01/2008, 7:26 PM |
|
Using the url: http://forums.yessoftware.com/posts.php?post_id=78146, we can change the number 78146, for example to 78145 and to read the text, how we can prevent access to the url?
_________________
PHP 5.x + MySQL 5.x + Linux
Brasil! |
 |
 |
waqasaltaf
Posts: 37
|
| Posted: 04/01/2008, 7:45 PM |
|
if you are using access database then in the field post_id instead of doing increment do random numbers.This way access will give random numbers to the post_id field and it will be much harder to guess.
hope this helps
|
|
|
|
wkempees
Posts: 1679
|
| Posted: 04/01/2008, 7:54 PM |
|
In the Helpfile, QuickStart Tutorials, such a scenario is described, search Help for "Implement Record Security in After Initialize Event", although not exactly what you need, it does give good pointers.
To cater for your specific question, you could store the post_id in a session var upon clicking the link leading to the composed URL, while testing for URL posted id aganst the sessionvar upon opening of the article.
A few other approaches are possible:
URL cloacking, compose/decompose algorithm, and such.
JM2ct
Walter
_________________
Origin: NL, T:GMT+1 (Forumtime +9)
CCS3/4.01.006 PhP, MySQL .Net/InMotion(Vista/XP, XAMPP)
if you liked this info PAYPAL me: http://donate.consultair.eu
|
|
|
|
DonB
|
| Posted: 04/02/2008, 4:01 AM |
|
The question is, why would someone NOT be allowed to view 78145? Does it
'belong' to another user? If so, then the data source should include an
Expression that adds another value, such as 'userid=123' in addition to what
the URL specifies. That way, the user cannot just randomly select anything
other than what the the added filter limits them to selecting.
--
DonB
"MSosnovski" <MSosnovski@forum.codecharge> wrote in message
news:547f2eebd75180@news.codecharge.com...
> Using the url: http://forums.yessoftware.com/posts.php?post_id=78146, we
> can
> change the number 78146, for example to 78145 and to read the text, how we
> can
> prevent access to the url?
> _________________
> Brasil!
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.yessoftware.com/
>
|
|
|
|
MSosnovski
Posts: 8
|
| Posted: 04/03/2008, 4:42 AM |
|
I thank friends!
I tried to work in a simple solution, but I must be doing something wrong and is not working properly, someone help me?
In the event "After Initialize" of the page, put:
global $textos;
global $Redirect;
if ($textos->Label1->GetValue() == 0)
{
$Redirect = "obrigado.php";
}
Thanks!
_________________
PHP 5.x + MySQL 5.x + Linux
Brasil! |
|
|
|
alii
Posts: 5
|
| Posted: 04/03/2008, 6:02 PM |
|
Quote DonB:
the data source should include an Expression that adds another value, such as 'userid=123' in addition to what
the URL specifies
is this really possible that instead of showing http://forums.yessoftware.com/posts.php?post_id=78146 the url show
http://forums.yessoftware.com/posts.php?post_id=78146&user_name=MSosnovski
DonB can you show us some code please.
|
|
|
|
GeorgeS
Posts: 206
|
| Posted: 04/04/2008, 6:26 PM |
|
if you really want to confuse everybody and hide your real parameters you can also encrypt the whole query string with all params like this:
page.php?somevar=QlRTMTA2MHxTTUEgQklBUyBURUUgMTAtNjAwME1IenwxODkuNzd8YWRkfGV1QWlZVkYy
and do decrypting inside the appropriate event like BeforeBuildSelect...
_________________
GeorgeS |
|
|
|
maxhugen
Posts: 272
|
| Posted: 04/04/2008, 11:14 PM |
|
I too don't really like the parameters in the URL - I feel it raises security issues, but as a novice I'm not totally sure.
AJAX may be a way around this, as it doesn't use URL parms... but I haven't been able to figure out the AJAX examples provided by CCS, since they didn't include a Description page outlining how to create these things.
_________________
Max
www.gardenloco.com | www.eipdna.com | www.chrisarminson.com |
|
|
|
MSosnovski
Posts: 8
|
| Posted: 04/07/2008, 12:25 PM |
|
Thanks again to friends!
I found interesting the proposal from George, use a label link, I
Put the CCEncryptString (String, Key), where?
As parameter of Href Source? Or gold place?
You can give us an example?
Thanks!
_________________
PHP 5.x + MySQL 5.x + Linux
Brasil! |
|
|
|
mentecky
Posts: 321
|
| Posted: 04/08/2008, 8:12 AM |
|
I have run into this a lot. Randomizing the ID seemed a good idea at the time, but I found that 2 users on the same computer with different logins could view each other's records using the browser's history and favorites. So I add a little bit of code to the Before Show event on the record. It checks to make sure the logged in user is the owner of the record and redirects to an error page if not.
For example: I have a "Personal Messages" section in a site I run. I put this code in the Before Show event of the Personal Message record.
global $Redirect;
// First make sure this user can view this message
if ($personal_message->ds->f("to_user_id") != CCGetUserID())
{
// Redirect
$Redirect = "personal_msg_error.php";
}
Another super simple way is to just add "user_id=CCGetUserID()" to your queries. It won't prevent the page from displaying, but the record data will be blank.
Hope that helps.
_________________
http://www.ccselite.com |
|
|
|
GeorgeS
Posts: 206
|
| Posted: 04/08/2008, 6:00 PM |
|
//BefeoreShowRow event of the grid control
$str = base64_encode($grid->id->GetValue() . '|' . $grid->whatever->GetValue());
$grid->mylink->SetLink("?" . CCAddParam(CCGetQueryString("QueryString", ""), "newparam", $str));
//some other event where you'd like to use params
$urlstring = base64_decode($_REQUEST['newparam']);
$nnn = InStrCount($urlstring,"|");
if ($nnn == 2)
{
$params = explode('|', $urlstring);
$id = $params[0];
$whatever = $params[1];
}
else
{
//show 'record not found message'
}
_________________
GeorgeS |
|
|
|
lwismanuel
Posts: 39
|
| Posted: 04/13/2008, 11:31 PM |
|
George that is obfuscating and not encrypting the URL parameters. You might be able to fool a regular user but not a smart URL guesser. All depends on how far the individual wants to go to hack the URL. I think your suggection would be secure if you encrypt the params instead.
The best approach that I have seen so far is shown in the CCS documentation, in the Task Management example, where you have to check if the user should be accessing that particular record.
global $tasks;
global $Redirect;
global $DBIntranetDB;
$current_task = CCGetParam("task_id", "");
if ($current_task != 0 && CCGetUserID() != CCDLookUp("user_id_assign_to", "tasks", "task_id=".
$DBIntranetDB->ToSQL($current_task, ccsInteger), $DBIntranetDB))
{
// $tasks->Visible = false;
$Redirect = "tasks_list.php";
// $tasks->UpdateAllowed = false;
// $tasks->DeleteAllowed = false;
}
With that approach you have to assign the record to a user, group or depending on how you do your query. A perfect example is in this forum that when you are logged in it allows you to edit only your post and not others.
Quote :AJAX may be a way around this, as it doesn't use URL parms..
Max, AJAX does use URL parms. you can get them from the javascript file or using a packet sniffer. You might not be able to see the params in the address bar because you are submitting them using the HTTPXMLRequest object but the params are there.
Remember! there are many ways to kill a cat. Just choose your way carefully.
|
|
|
|
GeorgeS
Posts: 206
|
| Posted: 04/15/2008, 2:38 PM |
|
lwismanuel,
my snippet was intended just to fool a regular user on those pages that are not password protected.
_________________
GeorgeS |
|
|
|
maxhugen
Posts: 272
|
| Posted: 04/19/2008, 7:04 AM |
|
lwismanuel, I take your point on AJAX using URL parms, now that I've been exploring AJAX a bit further. In fact, I find I have a problem in that I can use the AJAX Service URL (getting it from the javascript, as you point out) directly in the browser, and get results. Not cool!
Whilst the app I'm trying to create doesn't need really strong security at all, I'd like to find "good ways" to handle these issues as a matter of principle. I obviously have a lot of learning to do re security, and the prevention of hacking!
_________________
Max
www.gardenloco.com | www.eipdna.com | www.chrisarminson.com |
|
|
|
MSosnovski
Posts: 8
|
| Posted: 05/08/2008, 12:41 PM |
|
George, how are you?
I did a test of the script, and encode worked, but the calls decode the function InStrCount, researched and found several in INternet, can help us?
Regard´s
_________________
PHP 5.x + MySQL 5.x + Linux
Brasil! |
|
|
|
|
