|
|
Posted by Gordon Burditt on 11/19/82 11:45
>I use a number of approaches
>(1) Instead of auto-incrementing ID use a 32 bit random number.
>(Obviously you have the creation overhead of making sure you can't
>retrieve the record before creating it to catch. the theoretical 1 in
>24billion chance of a clash)
>
>This DOESNT solve your problem if any other IDs are available for
>inspection. eg a selection table with click on button to delete
>functionality because the other IDs can be harvested. AND WORSE if you
>use this ID anywhere at all eg a table of click on button to _edit_
>functionality the same thing applies.
All of this is a very poor substitute for validating that the user
in question has the authority to delete the record *AT THE TIME OF
THE FORM SUBMISSION*. If the user with administrator authority
always has the authority to delete *any* record, and a user without
administrator authority cannot delete any record (even his own),
there's nothing wrong with just using trivially-guessable record
numbers. But you need to re-check his administrator status at the
time of the form submission. He might have been fired between the
form being sent (and possibly cached in a browser for a year) and
submitting it.
If the user can only delete *his own* records, then check, when he
submits the form, that he still has the authority to delete it: he
still owns it, his membership hasn't expired, he's still logged in
as the same user, etc.
>However it WILL work for customer accounts where individual customers
>never get to see a list of other customers. They can't then think let's
>change ".../custdetails.php?custid=42" to "....?custid=43"
Someone malicious can still try running through all the numbers.
>(2) Keep track of page visiting history in the session and boot out
>people coming back via bookmarks without going through the right path.
>Here's the outline:
> In page 1
> $_SESSION['LastPage']='Page1';
> At top of page 2 :
> if($_SESSION['LastPage']!='Page1'){...
Unless you store which records the last page offered him the chance
to delete, and that it would still offer him the chance to delete
the record that he is trying to delete, this check is ineffective
and spoofable.
Gordon L. Burditt
Navigation:
[Reply to this message]
|