Hello all,
On the main page of my website I have written a very simple comments feature that allows people to leave a message under my posts, much like a blog. I have purposely kept this very simple...
On the main page I have simple text links that someone can click on if they want to leave a note. Clicking the link passes a variable $postid (a simple int) to the backend script, which tells the database which 'blog entry' the comment is attached to.
The problem is that after playing around with this a bit, it is clear that someone can craft a url with an arbitrary $postid that is not in the database yet. Now naively, it would seem that the worst someone could do is just create arbitrary entries in the DB that may come back to bite me when I actually _use_ the arbitrary postid down the road.
Well a couple of things that I can think of here... - Doing this seems like an easy way to get "orphaned" posts i.e. blogs that are stored in the database, but because there is no thread that corresponds to this blog then it would be a waste of DB storage - Might allow a malicious user to change an already-created post. They might even be able to stick in some PHP / Javascript code that could compromise the security of anyone that happens to read that blog!
What I want to do is make sure that someone cannot create a post with a $postid value greater than the largest $postid I have used so far.
And you want to be sure that they cannot create a post with a $postid that has already been used.
Now, I thought about using a quick sql query to get the largest postid from the DB and check that, but this will not work because of my own bad DB design
How about... instead of generating *any* $postid in your form, you just let MySQL handle it when it's ready to insert a new message. Just have the ID be an auto-increment in the DB... and this ID never needs to go to the browser (unless you're allowing a user to edit their *own* post). In the case of an edit you then check that the username in MySQL matches the username attached to the $_SESSION (or just don't let people edit ;)
(I'm really just a hobbyist here...) in that if there are no comments attached to a blog entry, then the postid for that entry is _not_ in the DB until I get one.
So, I guess my option is to either create another DB table with only the valid postid's in it and check that, or perhaps use a regexp to grab the highest postid from the html link (which would be the one closest to the top of the page).
I really don't want to have to change the current DB table, or have to update one manually when I ad a new post on the main page.
I guess my question is if there is an easier way to validate the postid value passed in the url. How would you do it?
Again... unless I'm missing something here the only thing you might want to send into a form / validate on the server would be a "thread ID" to figure out which thread this post belongs to.
If you need more info, please just ask...
Thanks,
Darren Kirby
-- Teach a man to fish...
NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-general&w=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHP&submitform=Find+search+plugins
Attachment:
signature.asc
Description: OpenPGP digital signature
