⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

CRITICAL: Edit does not respect "WHERE"



Mark Christian

Mark Christian
  • profile picture
  • Member

Posted 09 April 2013 - 19:37 PM

When I set 

 

$crud->where("id",$id); 

 

 

Only the list gets filtered by the where.

 

I can still edit any number with an id other than the one specified by typing:

 

/edit/<any number here>

 

Ex.

 

index.php/main/pets/edit/5 

 

So if you use the where clause to try to limit the users from editing what they shouldn't, you're gonna have a hard time.

Please fix this asap.

Hackers gonna hack.


victor

victor
  • profile picture
  • Member

Posted 09 April 2013 - 21:53 PM

I only use GC for the admin panel.

You need to chek the user's data ) it's the main rule in programming )) 

 

it's not bug. because hacker can try this:

 

list: index.php/main/1/

index.php/main/pets/edit/5 

does not work... mhhh

 

try this list: index.php/main/2/

index.php/main/pets/edit/5

does not work... mhhh

 

 

try this list: index.php/main/3/

index.php/main/pets/edit/5

 

oh )) yes )) it's working nice.

 

you need to check user's data before gc initialization


davidoster

davidoster
  • profile picture
  • Member

Posted 09 April 2013 - 22:54 PM

As [member=Victor] said the very first thing you do on your controller is to check which user is logged in or not.

Then you decide what to do with his request!


Mark Christian

Mark Christian
  • profile picture
  • Member

Posted 10 April 2013 - 04:39 AM

My program allows users to edit their own profile.

Which means 

 

index.php/main/pets/edit/5 must be allowed.

 

but 

 

index.php/main/pets/edit/4 mustn't,

 

How can I get GC to not allow index.php/main/pets/edit/4  ?

 

In other words, how can I get the value which the URL says to edit so I can compare it with the login users' id?


davidoster

davidoster
  • profile picture
  • Member

Posted 10 April 2013 - 09:03 AM

Since this is a user application, somehow you let them login.

When they are logged in by default you get their user->id, so

if $this->uri->segment(3) == $user->id then allow the edit

 

http://ellislab.com/codeigniter/user-guide/libraries/uri.html