通过PHP中的AJAX获取或传递敏感数据

Question

I want to update a row of data in a database using Ajax and PHP; however, I'm struggling with the following issue: the field in the database to update (henceforth the id ) is dependent on the page the ajax request is sent from .

I need to get this id to my PHP script that Ajax calls, however:

1. I don't want to set the id in a data attribute or hidden input on the page because these can both be manipulated by a malicious user.

2. Similarly, identifying the id using the referring URL is also prone to spoofing as $_SERVER isn't secure.

3. I can't set the id in a SESSION variable (or COOKIES) because the user could have multiple pages open and the SESSION would only hold the last page id that was opened.

The only solution I can think is to create a map of random tokens to id 's in a table in the db and pass that in a SESSION variable (as per #3 above), then check the table for the token and grab the respective id that way. Seems somewhat convoluted though.

Are there any other options or thoughts? Thanks.

Answer 1

This is a problem related to OWASP Top10 A7 (Missing Function Level Access Control).

There might be no issue with putting your ID on the page so the page can send it back - you just need to validate that the actual save request is permitted for the user.

Just think, regardless of whether you put the ID on the page or not, the page does know the base url for performing the action, so they could go ahead and guess IDs anyway.

Answer 2

Simplify your logic. Pass some sort of indicator of what type of id is in use from the client to the server.

If you create overly complex application logic to address a security concern you will probably have more problems with your code than improvements in security.

Use SSL/HTTPS and a WAF (web application firewall - like mod_security).