Jump to content


CRITICAL: Edit does not respect "WHERE"

edit where

  • Please log in to reply
4 replies to this topic

#1 Mark Christian

Mark Christian

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 09 April 2013 - 07:37 PM

When I set 

 

$crud->where("id",$id); 

 

 

Only the list gets filtered by the where.

 

I can still edit any number with an id other than the one specified by typing:

 

/edit/<any number here>

 

Ex.

 

index.php/main/pets/edit/5 

 

So if you use the where clause to try to limit the users from editing what they shouldn't, you're gonna have a hard time.

Please fix this asap.

Hackers gonna hack.



#2 victor

victor

    grocery CRUD Hero

  • Advanced Member
  • PipPipPip
  • 967 posts
  • LocationMinsk

Posted 09 April 2013 - 09:53 PM

I only use GC for the admin panel.

You need to chek the user's data ) it's the main rule in programming )) 

 

it's not bug. because hacker can try this:

 

list: index.php/main/1/

index.php/main/pets/edit/5 

does not work... mhhh

 

try this list: index.php/main/2/

index.php/main/pets/edit/5

does not work... mhhh

 

 

try this list: index.php/main/3/

index.php/main/pets/edit/5

 

oh )) yes )) it's working nice.

 

you need to check user's data before gc initialization



#3 davidoster

davidoster

    Grocery CRUD Ninja

  • Advanced Member
  • PipPipPip
  • 1,068 posts
  • LocationAthens, Greece

Posted 09 April 2013 - 10:54 PM

As victor said the very first thing you do on your controller is to check which user is logged in or not.

Then you decide what to do with his request!


____________________________________________________________

 

rtfm_small.jpg---!!!Please read these guidelines before asking to the forums!!!---

____________________________________________________________

 

David Oster aka George Pasparakis,
http://odphotography.com
http://eletter.gr


#4 Mark Christian

Mark Christian

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 10 April 2013 - 04:39 AM

My program allows users to edit their own profile.

Which means 

 

index.php/main/pets/edit/5 must be allowed.

 

but 

 

index.php/main/pets/edit/4 mustn't,

 

How can I get GC to not allow index.php/main/pets/edit/4  ?

 

In other words, how can I get the value which the URL says to edit so I can compare it with the login users' id?



#5 davidoster

davidoster

    Grocery CRUD Ninja

  • Advanced Member
  • PipPipPip
  • 1,068 posts
  • LocationAthens, Greece

Posted 10 April 2013 - 09:03 AM

Since this is a user application, somehow you let them login.

When they are logged in by default you get their user->id, so

if $this->uri->segment(3) == $user->id then allow the edit

 

http://ellislab.com/...raries/uri.html


____________________________________________________________

 

rtfm_small.jpg---!!!Please read these guidelines before asking to the forums!!!---

____________________________________________________________

 

David Oster aka George Pasparakis,
http://odphotography.com
http://eletter.gr






Also tagged with one or more of these keywords: edit, where

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users