Securely Viewing PM

DoubleDee · May 28, 2012, 2:36am

So I have build a PM System that seems to work, but I need an outside opinion if how I am displaying the User’s Private Message is secure enough. (Since this module is like 2,000+ lines of code, I can’t just post everything here.)

When a User in in his/her Inbox and clicks on a Message entry, it sends the User to my “view_pm.php” script and a URL like this would be created…

http://local.debbie/account/view_pm.php?msgview=incoming&msg=2

In order to view the PM, the User has to be logged in, and my Message query looks like this…


	$q2 = "SELECT member_id_to, m_to.username AS username_to, m_to.photo_name AS photo_to,
				member_id_from, m_fr.username AS username_from, m_fr.photo_name AS photo_from,
				subject, body, sent_on, read_on
			FROM private_message AS pm
			INNER JOIN pm_recipient AS r
			ON pm.id=r.message_id
			INNER JOIN member AS m_to
			ON m_to.id=r.member_id_to
			INNER JOIN member AS m_fr
			ON m_fr.id=pm.member_id_from
			WHERE r.member_id_to=?
			AND pm.id=?";

Notice that in the last two lines I am checking that the request is for a… 1.) Valid PM, and is from a 2.) Valid Member

I get the “MemberID” from the User’s Session.

What worries me is if just passing “&msg=2” in the Query String is enough??

It shouldn’t matter, since I am pairing that up with the “Member ID”, but I just wanted another opinion.

BTW, I have tested my code and it appears to be working fine.

Thoughts?

Thanks,

Debbie

chris_upjohn · May 28, 2012, 4:01am

As long as your using prepared MySQL bindings for your query you shouldn’t have any issues as the SQL query is where 99% of all hacks occur because of un-escaped strings, apart from that there wouldn’t be any other way for someone to gain access through the view_pm.php unless they had direct access to your file system which happens if your code in general has a security hole in the login form for example.

DoubleDee · May 28, 2012, 4:37am

Yes, I’m using Prepared Statements.

And I follow what you are saying, but you are missing my key point…

If you have the “Message ID” that is technically all you would need to access the PM in the “Private Message” table, because it alone uniquely identifies a PM.

Now of course you couldn’t run the query to get the whole…

To:
From:
Date:
Subject:
Body:

…but still.

Like I showed, I am using the Member’s ID from the $_SESSION to make sure that only the SENDER/RECEIVER can see the PM, but I just wanted to be sure I wasn’t missing something.

Debbie

chris_upjohn · May 28, 2012, 10:33am

As long as your authenticating the user on each page load there is no way someone could gain access unless the script has a security hole during the auth check which allows someone to spoof the session data easily in which case would allow a hacker to gain access to pretty much every account if they can guess one.

kduv · May 29, 2012, 1:24am

Also make sure you’re stripping and/or encoding the message output to prevent XSS and the like.