12 Replies Latest reply on Jan 17, 2011 5:58 AM by matthew stuart

    Passing url parameter and users changing them

      I've been reading some of the topics and have been unable to resolve a problem I'm experiencing.

      Explanation:
      I've created a multi-user site that enables you to login to your own profile, add pictures, and journals etc.

      Problem:
      When a user wants to edit/update for example their 'journal' they are able to change the URL parameter 'journal_id' to that of someone else's.

      My attempts:
      My 'users' table has a 'user_id' and my journal table has 'journal_id' and 'user_id' (foreign key). I have tried the following.
      Click to edit a 'journal' passes 'journal_id' and 'user_id = kt_login_id' to the update page, however the update page is only accepting/looking for 'journal_id' and I cant seem to figure out how the update page will only allow a user to view 'journal_id's' based on the users session, and not allow them to change the URL parameter to another number.

      Im sure as always there is a really simple solution, I think Im just in the thick of it and cant see the wood for the trees.

      I really want to make this site as secure as possible and could really benefit from some advice.

      Thanks in advance
        • 1. Re: Passing url parameter and users changing them
          Günter Schenk Level 4
          Hi Angelo,

          personally I´d rather apply ADDT´s "Show If Conditional Region" server behaviour to the form displayed in your "update_journal.php" page -- select the form in DW, lauch the server behaviour and and assemble the condition like this:

          Expression 1: select the query´s "journal_id"
          Condition: == (aka equals)
          Expression 2: session variable kt_login_id

          this condition should show the form only when the current "journal_id" matches the user´s session variable

          of course I´d suggest ticking the "Has ELSE" option to leave an error message like "you are not authorized to edit this record !" to the user

          Does that help ?

          Günter Schenk
          Adobe Community Expert, Dreamweaver
          • 2. Re: Passing url parameter and users changing them
            Level 1
            Hi Gunter, thanks for your quick response!

            In your example will the user still be able to view other peoples entries, and the only deterrent being the "Has Else" statement?

            Surly their must be a way, that in the event that the user changes the 'profile_id' in the parameter that nothing happens as they are not the user that posted that actual data.

            Please let me know if Im confused and your example is sufficient for my problem.

            Most sites make the parameters encrypted. Is there some way of doing this?

            Thanks again, it seem Im in good hands.
            • 3. Re: Passing url parameter and users changing them
              Level 1
              Also,

              I've just tried it, and its not showing any of the journals, even the ones created by the logged in user.

              Show If Conditional Region as described above equates to:

              if journal_id = kt_login_id
              else -> 'You are not authorised to edit this record'

              However the journal_id will never match the kt_login_id as this is the id of the logged in user.

              journal_id=12
              user_id = 28

              Im sure that obvious, but maybe I need to create a recordset to help me?
              • 4. Re: Passing url parameter and users changing them
                Günter Schenk Level 4
                Hi Angelo,

                >>
                In your example will the user still be able to view other peoples entries
                >>

                when the record´s "journal_id" column does hold the "allowed user id", trying to reload the page with another person´s id would display the error message instead, because this one´s not matching the users kt_login_id session variable.

                >>
                Please let me know if Im confused and your example is sufficient for my problem
                >>

                yes to both, LOL :-) No, you´re certainly not "confused", as this is an important issue that needs some clarification

                >>
                Most sites make the parameters encrypted. Is there some way of doing this?
                >>

                there´s maybe a way to do this, but in your case it would be overkill, as the suggested solution does add an additional "security level" that´s checking the update form against the current login id -- now just go ahead and try it :-)

                Günter Schenk
                Adobe Community Expert, Dreamweaver
                • 5. Re: Passing url parameter and users changing them
                  Günter Schenk Level 4
                  >>
                  However the journal_id will never match the kt_login_id as this is the id of the logged in user.

                  journal_id=12
                  user_id = 28
                  >>

                  in what "journal" column are you storing the user_id after all ?

                  Günter Schenk
                  Adobe Community Expert, Dreamweaver
                  • 6. Re: Passing url parameter and users changing them
                    Level 1
                    Hi Gunter, your sense of humor is great and your patience even better!

                    you've lost me completely!

                    If this clears anyhting up:

                    table: 'journal'
                    journal_id
                    user_id
                    title
                    copy
                    created

                    table: 'users'
                    user_id
                    username
                    email
                    f_name
                    surname
                    pwd

                    is my table structure incorrect, and this is why its not working.

                    I just tried this and still no avail:

                    A recordset called 'rsJAccept':

                    SELECT journal_id, journal.user_id
                    FROM journal LEFT JOIN users ON journal.user_id = users.user_id
                    WHERE journal.user_id = colname

                    My Conditional statement:

                    // Show IF Conditional region2
                    if (@$row_rsJAccept[''] == @$_SESSION['kt_login_id']) {
                    ?>

                    // else Conditional region2
                    } else {?>
                    You are not authorised to edit this record
                    // endif Conditional region2
                    ?>

                    Thanks,
                    were are you by the way. Is it morning or night?
                    • 7. Re: Passing url parameter and users changing them
                      Günter Schenk Level 4
                      Hi Angelo,

                      >>


                      >>

                      I see that $row_rsJAccept[''] doesn´t have any special column specified -- this one should certainly have the $row_rsJAccept['journal.user_id'] defined, as otherwise there´s nothing to compare with.

                      >>
                      were are you by the way. Is it morning or night?
                      >>

                      I´m in Germany (Wuppertal), and it´s 9:41 PM already and much too dark to have fun :-) Where are you -- sei un Italiano ?

                      Günter Schenk
                      Adobe Community Expert, Dreamweaver
                      • 8. Re: Passing url parameter and users changing them
                        Level 1
                        Hi Gunter

                        Im in London, dark here too. Trying to juggle cooking chicken and Conditional statements at once.

                        Oh and Im not Italian either. I like Germany alot, especially Berlin!

                        its still not working
                        do you think that the SQL in my recordset is suitable for what im doing or should it just be

                        SELECT journal_id, user_id
                        FROM journal
                        WHERE user_id = kt_login_id (colname)
                        • 9. Re: Passing url parameter and users changing them
                          Günter Schenk Level 4
                          Hi Angelo,

                          >>
                          Trying to juggle cooking chicken and Conditional statements at once
                          >>

                          oh, so let´s try solving the "conditional statements" stuff ASAP, otherwise your chickens get kaputt :-)

                          >>
                          SELECT journal_id, user_id
                          FROM journal
                          WHERE user_id = kt_login_id (colname)
                          >>

                          The way I usually implement a security layer on update forms, is somewhat different :: I just add another "rsJAccept" recordset that´s simply querying the same 'journal' table once again, but with less columns, e.g.

                          "SELECT journal_id, user_id FROM journal WHERE journal_id" equals the URL variable specified in the list -- actually the same procedure you probably already used for the update record form, however, just another query.

                          well ok, and now the same condition should work when using the "user_id" value from this extra query:



                          works now ?
                          • 10. Re: Passing url parameter and users changing them
                            Level 1
                            Yes yes yes....

                            Im so happy, lots of worries about security are slowly disappearing.

                            My chicken is burnt, but jamaican style.

                            Im very grateful for your help.

                            What do you do other than help out here?
                            Do you work for adobe?
                            • 11. Re: Passing url parameter and users changing them
                              Günter Schenk Level 4
                              So I reckon it works now ? JUST GREAT :-)

                              >>
                              My chicken is burnt, but jamaican style.
                              >>

                              don´t know what "jamaican style" is. Burnt is burnt, that´s when I use to throw it all away and go out to get my food from more reliable sources than myself -- read: always, lol :-)

                              >>
                              What do you do other than help out here?
                              >>

                              Nothing at all, just twiddling my thumbs ;-) If you really wanna see my cool face and get some info, you can read some stuff about me here :
                              http://www.adobe.com/communities/experts/members/GunterSchenk.html

                              >>
                              Do you work for adobe?
                              >>

                              No, *none* of us "Community Experts" work for Adobe -- we´re just a group of (selected for obscure reasons :-) volunteers who have been allowed to call ourselves "Community Experts" and in return try hard to help users, write articles etc etc

                              Günter Schenk
                              Adobe Community Expert, Dreamweaver
                              • 12. Re: Passing url parameter and users changing them
                                matthew stuart Level 2

                                A bit late to the party here, but webassist's security assist extension handles what you are after.

                                 

                                It handles a users details via session variables (i think) rather than url parameters. It also allows you to hide/show regions based on user log in status, prevent pages from being viewed unless the user is logged in and, the best part of all is that it builds ALL of the pages you will need to log in, email passwords, update profiles and more.

                                 

                                Once you're used to the way it operates, it is a very quick stepping stone to creating user registration pages. If I have a DB with relevant tables set up, I can get the whole thing up and running within an hour, even using my template designs.