PHP Security question

Let's say I have a PHP script that gets a customer record by way of a customer ID which is an auto-incrementing integer field in the database.

In my .ajax(), let's say the URL looks like this:

method: "POST",
url: "/_includes/getCustomer.php",
data: { custID: sCustID },
etc....

Open in new window


I'm thinking a hacker can create a form page and create a loop that submits his POST data to my script, incrementing the customer ID, and starts harvesting customer records.

Would the check for the presence/absence of a session be enough to prevent this? I am assuming he doesn't have a valid username/password, or he wouldn't need to do this.
elepilAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
I don't count on the session unless I have a known value that I can check that the external user can't create.  I also check the referrer.  I had one page where a spammer submitted 38,000 entries to my database on a hidden page in a session.  That stopped as soon as I started checking the referrer.  'HTTP_REFERER' on this page: http://php.net/manual/en/reserved.variables.server.php
Julian HansenCommented:
You can't really assume anything.

Best method to use is have a custID field that is not incrementing. Personally I use UUID's for ID's that I don't want people to guess.

In cases where I need an incrementing ID and want to obfuscate this then I have both.

I use the UUID externally and the autoinc internally.
elepilAuthor Commented:
Dave, thanks for responding.

The PHP manual says "There is no guarantee that every web server will provide any of these [in $_SERVER]; servers may omit some, or provide others not listed here."

But can you give me a code snippet of how you do it?
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

elepilAuthor Commented:
JulianH, thanks for responding.

I'm afraid it's a bit late for me to start using UUID's :( This is a database my client has been using for the past 4 years. I'm rewriting that application to PHP, and as much as making modifications to the database will be in my to-do list, it's not a high priority at this point in time.
Dave BaldwinFixer of ProblemsCommented:
This code causes an exit if the referrer is not set or if it is wrong.  'HTTP_REFERER' is there on every different server I have checked including several versions of Apache and IIS.  It comes directly from the Request Header sent by the browser.
// check referrer, if no referrer, exit because it is a direct post
if(isset($_SERVER['HTTP_REFERER'])) {
	$refchk = explode('?',$_SERVER['HTTP_REFERER']);
	if($refchk[0] != "https://www.yoursite.com/yourpage.php") exit;
	}
else exit;

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
This little program I call 'servari.php' will display all of the $_SERVER variables that are available on that server.  Note that you usually won't see 'QUERY_STRING' unless there is a query string after the URL.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>PHP Server Variables</title>
</head>
<body>
<h1>PHP Server Variables</h1>
<?php

//reset($_SERVER);
foreach($_SERVER as $key => $value) {
    echo "<b>$key :</b> $value<br />\n";
}
?>
</body>
</html>

Open in new window

elepilAuthor Commented:
Thanks for the help!
Julian HansenCommented:
Just remember the referrer is a header added by the browser agent - it can be spoofed or removed and should not be used as a means to secure a site or data.

Alternative to dump $_SERVER
<?php
echo '<pre> . print_r($_SERVER, true) . '</pre>';

Open in new window

Dave BaldwinFixer of ProblemsCommented:
While that is technically true julianH, if it is missing or wrong, that is a clear sign that something is wrong.  And if they are too lazy to spoof it, then they deserve nothing anyway.  In the last 10 years, I have not seen a single case where spoofing the referrer caused me a problem.  I must be doing something right because the PCI scanning companies have not been able to break in either.  They sure try hard though.
Julian HansenCommented:
I have not seen a single case where spoofing the referrer caused me a problem

Unfortunately, that is not a guarantee it won't happen. The purpose of my post was not to challenge the solution but merely to highlight that the REFERRER solution is no more secure than a session.
Dave BaldwinFixer of ProblemsCommented:
to highlight that the REFERRER solution is no more secure than a session
That's probably true.  Thanks for Lazy hackers.  I don't think I've ever encountered the serious criminals because my sites never involve enough money to attract them...
Ray PaseurCommented:
Heh, heh.  

I've used exactly this kind of spoof to show my students the importance of avoiding the use of auto_increment id fields in GET-method requests.  In one example, I was able to steal the entire customer list of a non-profit within 60 seconds.  I got it all - thousands of names, addresses, phone numbers, email addresses, web site URLs, etc.  As a matter of ethics we do not use that stolen data to subvert the association's business practices (they license their marketing information for $$$) but it is important to show novices how easy it can be to steal information from online resources that do not take appropriate measures to protect the data!  

If only the US IRS would be careful with the "client" data!
elepilAuthor Commented:
Ray! You're a hacker!! (*dialing authorities*) ..... *grin*

When I decided to abandon the Java/Adobe Flex platform, I had no idea deciding to go to PHP was jumping in a lake. All of a sudden, I see security issues galore that I had to worry about. These were non-issues with Adobe Flex because the entire application was compiled to a binary file, and barring the username and password, there was no way anyone could tell what was being done inside. But I had to abandon Adobe Flex because when Apple decided not to support the Flash Player in their devices, I immediately knew its days are numbered.

You don't have to hack the IRS for client data, just hack the Affordable Health Care site, I heard it's full of security holes.
Ray PaseurCommented:
You're right about the ACA site.  At one point (after deployment, no less) we found them passing client passwords in clear text through JavaScript.  It is horribly written and untestable. And like the healthcare law, nobody knows what's in it!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.