Re: [plug] url masking question

Fri, 21 Apr 2006 02:47:26 -0700

This happens because of a poorly designed ERD, such that the posted data don't have foreign keys of owners or groups which will identify the accessibility of the data by just plugging in into the SQL a where clause similar to "..WHERE item_id ='{$request->item_id}'  && owner_id = '{$session->user_id}' ;"
 
so if you rewrite the URL it will yield a null result and even with a successful SQL injection it will only destroy the perpetrator's own account.

 
On 4/18/06, fooler <[EMAIL PROTECTED]> wrote:
for security reasons... you have to hide the user and other information from the url... cookie was created for that purpose... you have to redesign your site again...
 
 
fooler.
----- Original Message -----
From: jan gestre
Sent: Monday, April 17, 2006 12:21 PM
Subject: [plug] url masking question

 
our website, it is actually a jobsite running LAMP on redhat enterprise edition currently has some issues, applicants who's currently logged in can browse and go to other applicants page by just changing any digit on the url. how can i correct these serious issues? by directly editing the php codes? enabling mod_rewrite? if by enabling mod_rewrite, how will i enable the module without recompiling apache on our redhat box?
your inputs will be greatly appreciated.

 


_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph




--
--
To contact me anytime and anywhere via SMS:
MSG GODIE <YOUR MESSAGE>
then send to 2948 for Globe/Sun and 3940 for Smart.

You want to have your own Mobile Address like me? Get it FREE at www.Txtmokko.com
--
PUT YOUR ADS ON THE HAND OF 35 MILLION PEOPLE. GET YOUR DOMAIN FOR MOBILE AT http://www.TxtDOMAIN.com
_
Roger P. Filomeno
Mobile Specialist / R&D
http://corruptedpartition.blogspot.com/

* Finger Apps Inc, http://fingerapps.com * TXTMOKKO, http://txtmokko.com *  MyAyala, http://myayala.com * KayaMoney e-Commerce, http://kayamoney.com/ * KayaShop e-Market, http://kayamoney.com/shop/ * Registered Linux User # 367694 * PGP IDs:  0xCB5F3FF7 / 0xBC0BFBA2 (http://keyserver.pgp.com) 
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph

Reply via email to