using id in url / security issue

Jan from Hamburg

Posted: 08 February 2010 02:01 AM

[ Ignore ]

Lab Assistant

Total Posts: 122

Joined 02-20-2009

Hi!
I have userprofiles, classifieds and articels
and I do use ‘$this->uri->segment’ in controller to get the single content in the template.
So you can read the user_id in the url (..index.php/profil/23.html).

Well, I do check user-rights in the model, but shouldn’t I pass an user_id more confidental? I want to protect my users data. For example using an encrypt date for ‘id’ instead of using autoincreatment for ‘id’ in mysql?

How are you doing?
Greetings, Jan

Profile

danmontgomery

Posted: 08 February 2010 11:04 AM

[ Ignore ] [ # 1 ]

Lab Technician

Total Posts: 1835

Joined 12-08-2009

First, a database ID is not user data… As long as you’re checking the current user against the page they’re trying to view, it really doesn’t matter.

You can hash the id:

index.php/profile/d389a39f4584dfd3f53cdc453db9a925.html

$user_id = $this->uri->segment(2);
$sql = "SELECT * FROM users WHERE MD5(CONCAT(first_name, id)) = '" . $user_id . '"; 

For example.

Signature

@basdflasjk | BitAuth: Authentication and Role-based Permissions | Session Library Replacement

Please read the User Guide! (Upgrading from a previous version?)

Profile

‹‹ Multiple File Upload with SWFUpload Converting an existing project to CI? ››

Username		Remember Me?
Password		forgot password?