Get security

Jaynesh · January 9, 2012, 11:20am

Hello

I was told this query was not secure, if so how can I make it secure, or is there an alternative.

$get = mysql_real_escape_string($_GET['id']);
SELECT * FROM profile WHERE username = $get

Basically what it does is if a user goes to:
example.com/profile.php?id=john

it will select johns profile. I was told the get request could be manipulated to anything.

Cups · January 9, 2012, 4:29pm

Well, from what you have shown us if I enter

example.com/profile.php?id=admin

and you have a matching profile, then yes, it would be a security hazard.

Generally you ask for two pieces of information, a username and a password.

So that you end up doing something which essentially equates to:


$username = // as you have done
$encrypted_password = // get the password, encrypt it with the same method you used before you stored in the db

"SELECT * FROM profile WHERE username = '$username' and password = '$encrypted_password'"

The encrypted password should be so encrypted that it is impossible to retrieve it in its plain text form, even for you.

Sometimes that username can be elicited from a cookie, the amount of security you apply may well depend on how much damage losing an account will cause you or the user.

If it is to retrieve some settings like your preferred background color, then you’d handle it differently to giving access to personal information.

Jaynesh · January 9, 2012, 4:39pm

Hi sorry for the misunderstanding. This isn’t for user authentication. It is a public profile page.

e.g example.com/profile.php?id=john
This would request data from johns table

However I want to know if it would be a security risk. Could people manipulate the GET request?

Cups · January 9, 2012, 5:40pm

If the worst that could happen is that someone gets the wrong background color, say, then why worry?

Anyone can spoof any variable coming to you from the internet, GET, POST, COOKIE no matter.

If you are correctly escaping the data, as you seem to be – then nothing bad in the way of an sql injection attack – but then again we don’t know if you do someting else with your $get variable.

Do not echo your $get variable onto the screen without also escaping it for html.

Use the likes of htmlentities and that family of escaping methods.

system · January 9, 2012, 9:26pm

The short answer is a definite YES.

Just like you typed a url for your post, I or anyone else could also type your url and attach whatever name/value pair we like to it.

And whether it is a GET or POST transmission to your server side script, it is still a security risk because poeple can still send whatever data they like as a POST as well to a server side script.

So if data security is an issue, your server side script MUST validate and sanitise user inputed data sent to it before using the sent data.