Community /Pin to Profile Bookmark

Security issue?

@Christophe27Jan 22.2011

Hi,

I use the id’s of the rows (with files) of the ‘mysql’ table directly in my HTML. The reason for this is, I know which image is dragged and dropped. Of course I use some authentication to check if the user has the permission to edit that particular file.

Is this a security issue?

[CODE] <div id=”item_3″><img src=”/myimage.jpg” /></div> <div id=”item_4″><img src=”/myimage.jpg” /></div> <div id=”item_5″><img src=”/myimage.jpg” /></div> [/CODE]

Thanks!

Christophe

to post a comment

2 Comments(s) _↴

@eval_BadCode_Jan 23.2011 — #Of course I use some authentication to check if the user has the permission to edit that particular file.[/QUOTE]

You mean authorization not authentication.

Maybe try using the Bell-LaPadula model for access control if you're using sensitive files, this allows for compartmentalized information. If the files are not sensitive in nature, try using the Biba model or discretionary access control.

Using the id's of the rows is in no way insecure in and of itself (although it does provide some information for a very clever user). It's the mechanisms you choose to handle that index which will enforce your security policy.

@Christophe27authorJan 23.2011 — #Yes, I mean authorization.

Basically I check if the file belongs to the $user_id of the (encrypted) session.

Thanks for the extra information. I'll check on wikipedia!

Christophe

Also in #PHP _↴

Using PHP to get dayname() in MySQL?Creating a view in PHP preg_replace (/.../,n,text_file)

×

Success!

Help @Christophe27 spread the word by sharing this article on Twitter...

about: ({
version: 0.1.9 — BETA 5.28,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...