Is it unsecure to use $_GET to update/delete the data from MySQL table??
I can't use $_POST since it required to use <form>
tag
For example:
<a href="statu开发者_如何学编程s.php?approve='123'>Unapprove</a>
<?php
if (isLoggedIn() && groupId() == 2) {
if (isset($_GET['id']) && is_numeric($_GET['id']) {
$query = $db->prepare("UPDATE table set unapprove='1' where id = :id");
$query->bindParam(':id', $_GET['id'], PDO::PARAM_STR);
$query->execute();
}
}
?>
Please provide example how would you secure from my example or better way.
While not subject to SQL injections, what you're doing is not secure because subject to cross-site request forgery.
Consider the effect of being logged in into your site, and visiting another that has this image:
<img src="yoursite.com/admin/status.php?approve=123" />
Ideally, always use POST for non-idempotent requests.
And at any rate, you need to add a secret token which is both session- and link-specific:
href="status.php?approve=123&token=[random_stuff]"
As an aside, the '123'
in the link should probably be 123
.
No, it isn't safe.
All it takes is for a bot, or a pre-caching proxy, etc to come along and follow all the links (which are supposed to be safe to follow) and you'll get everything unapproved automatically.
Use a <form>
.
It's not insecure per-se, so long as you validate and sanitize input. Input is input, but remember, all input is evil. Think about permissions too. How are you controlling access to this?
Bounds check the numeric data. From the code above it's possible to insert numbers that are likely out of range.
Also, as a matter of good practice, I always pass everything through mysqli_real_escape_string()
(or the OOP equivalent if you so wish.)
It doesn't matter for your database if you use $_GET or $_POST, and it is not unsecure because you're checking if the user is logged in. It is unsafe however. A logged in user can have the delete-url in his browsing history, which may cause resources to be deleted when they visit that page later on by accidentally choosing them in their history.
It is better to post this kind of data.
If you like to, you can create forms instead of links. You can style the submit buttons so that they look like links. Per link you create a form. That way, you'll have the same functionality and looks, even without Javascript, and you still have the relative safety of posting in contrast to getting.
精彩评论