hi everyone i was wondering if there is anyway i can make this script more secure? the way i have it now is not secure at all what this script does is lets you update database rows when i click on the update link it will take me to a link like this mysite.com/index.php?id=56 56 being the id number all someone has to do is enter mysite.com/index.php?id=numberhere in the browser to change any row they like witch is not good at all can anyone help me fix this problem? thanks... Code: <?php $host="localhost"; $username="???"; $password="??"; $db_name="??"; $tbl_name="??"; mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $sql="SELECT * FROM $tbl_name Where user='".$_SESSION[id]."'"; $result=mysql_query($sql); ?> <table width="400" border="0" cellspacing="1" cellpadding="0"> <tr> <td> <table width="400" border="1" cellspacing="0" cellpadding="3"> <tr> <td colspan="4"><strong>List data from mysql </strong> </td> </tr> <tr> <td align="center"><strong>Name</strong></td> <td align="center"><strong>Last name</strong></td> <td align="center"><strong>Email</strong></td> <td align="center"><strong>Update</strong></td> </tr> <?php while($rows=mysql_fetch_array($result)){ ?> <tr> <td><? echo $rows['from']; ?></td> <td><? echo $rows['to']; ?></td> <td><? echo $rows['message']; ?></td> <td align="center"><a href="index.php?id=<? echo $rows['id']; ?>">update</a></td> </tr> <?php } ?> </table> </td> </tr> </table> <?php $id=$_GET['id']; $sql="SELECT * FROM $tbl_name WHERE id='$id'"; $result=mysql_query($sql); $rows=mysql_fetch_array($result); ?> <table width="400" border="0" cellspacing="1" cellpadding="0"> <tr> <form name="form1" method="post" action="index.php"> <td> <table width="100%" border="0" cellspacing="1" cellpadding="0"> <tr> <td> </td> <td colspan="3"><strong>Update data in mysql</strong> </td> </tr> <tr> <td align="center"> </td> <td align="center"> </td> <td align="center"> </td> <td align="center"> </td> </tr> <tr> <td align="center"> </td> <td align="center"><strong>Name</strong></td> <td align="center"><strong>Last name</strong></td> <td align="center"><strong>Email</strong></td> </tr> <tr> <td> </td> <td align="center"><input name="from" type="text" id="from" value="<? echo $rows['from']; ?>"></td> <td align="center"><input name="to" type="text" id="to" value="<? echo $rows['to']; ?>" size="15"></td> <td><input name="message" type="text" id="message" value="<? echo $rows['message']; ?>" size="15"></td> </tr> <tr> <td> </td> <td><input name="id" type="hidden" id="id" value="<? echo $rows['id']; ?>"></td> <td align="center"><input type="submit" name="Submit" value="Submit"></td> <td> </td> </tr> </table> </td> </form> </tr> </table> <?php mysql_close(); ?> PHP:
U should create a login script that sets a cookie. If someone goes to mysite.com/index.php?id=56, the "index.php" script must check to see if the cookie is set before it performs any updating action. If the cookie is not set, it will say "You must login first" or something like that. If the cookie is set, then it'll update. If you don't know how to do that, instead of mysite.com/index.php?id=56 name "index.php" something else like "xx445hdhd.php" for example so only you will know the name of the script to navigate to, to perform an update. So it'll be mysite.com/xx445hdhd.php?id=56 ^^That's not very secure as the first option and only safe enough if you alone use your computer. You can't share the name (xx445hdhd.php) with no one else.
thanks for the reply i have a login script with the cookie but im trying to have this for all members on my site you know of anyway to us checkboxes with this script to replace the index.php?id=56? thanks...
Implement this logic to your site: http://en.wikipedia.org/wiki/Cryptographic_nonce Page that displays the entry generates _nonce fiels, that is valid only once, and has some relation to tablename + id combination. If the attacker changes the ID, the _nonce is not valid any more, thus attacker can only update the very row, he/she was able to load but accorging to your script there is no permissions system implemented at all....
One more thing, if your site has register_globals enabled, then this script is vulnerable to mysql injection, since variable $tbl_name can be initialized via _GET variable like this: http://www.youriste.com/index.php?tbl_name=mysqlcode Also take a look at here: $id=$_GET['id']; $sql="SELECT * FROM $tbl_name WHERE id='$id'"; PHP: I could pass my own sql in it like that: http://www.youriste.com/index.php?id=my own sql code read more: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://www.google.com/search?q=mysq...&rls=org.mozilla:et:official&client=firefox-a