php - Limit user to their profile page

173

On my website I have a user login system, when they login they are taken to their profile page, which is deism ate by their uid. The thing is, there was nothing to stop a user just changing the uid and going to someone else's profile and Acting as them. To stop this I implemented a URL/MySQL system by which if the uid of the user is not the uid in the URL, they are redirected to their own profile. The problem here is that on the profile there are forms which change the URL, in doing so removing the uid query, resulting in the page (because the uid is missing) taking you to your profile and ignoring the form input.

The code is:

<?php
mysql_connect ('x', 'x', 'x');
mysql_select_db ('x');

if(isset($_COOKIE['wd_un'])) {
    $un = $_COOKIE['wd_un'];
    $pass = $_COOKIE['wd_pass'];

    $cook = "SELECT * FROM x WHERE username = '$un' AND password = '$pass' limit 1";
    $cookr = mysql_query($cook) or die (mysql_error());
        if(mysql_num_rows($cookr) == 0) {
            header ("Location: index.php");
        }
        else {
            $urluid = mysql_real_escape_string($_GET['uid']);
            $uidcheck = "SELECT * FROM x WHERE username = '$un' AND password = '$pass'";
            $uidcheckq = mysql_query($uidcheck) or die (mysql_error());
            while($rcu = mysql_fetch_assoc($uidcheckq)) {
                $dbuid = $rcu['uid'];
                        if($urluid != $dbuid) {
                            header ("location: home.php?uid=$dbuid");
                        }
                        else {
                        }
            }
        }
    }
mysql_close();
?>

Is there a work around?

453

Answer

Solution:

This code block you have here is riddled with badness.

First, you should absolutely never store a user's password in a cookie. You SHOULD store only a session ID in the cookie, then store the rest of the session data in a session table in your DB that contains the user's id and any other things that you may want to have basic access to... password should not be in this table either.

Now, you can use the user_id in the URL safely cause the cross reference will keep people out.

on load of course you cross reference the mysql result from your session table that was pulled based on your cookie id. Obviously boot them if they don't match.

As for your form redirecting, you need to restructure how you handle posting then. You can make your profile page always pull only the profile related to the session id in your cookie. That would remove the dependency on URL and solve this problem completely.

Also - Please look into mysql_real_escape_string() to sanitize your inputs. It is incredibly dangerous to blindly accept cookie info for a mysql query. Unless you really do aim to leave huge injection holes in your site.

848

Answer

Solution:

You should be using the Cookie ID to identify the user rather than pulling the user if from the URL. If cookieID does not match UserID, then redirect to their own profile.

Basically, never use the url to pass user ids for private data. Always references the cookie.

Relying on only the URL string to identify a user is a HUGE security hole on top of the usability issue you've described.

People are also looking for solutions to the problem: php - ImageMagick Crop Square from Circle?

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.