TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   Retaining thread ID when posting reply (http://www.talkphp.com/general/4419-retaining-thread-id-when-posting-reply.html)

h0ly lag 05-20-2009 08:19 PM
Retaining thread ID when posting reply
 
I know there are already tons of PHP forums available, but this is just a proof of concept for myself I suppose. So the problem I have is when a user goes to post a reply to a thread, I have an invisible input which post the thread ID to the page I have which enters the reply into the database. The actually problem being that the POST field can be easily manipulated allowing the user to change what thread he/she were actually replying to. Now, with that being said. I could check right before the data is going to be entered if the user has permission to post/read/view that thread or category.

There has to be a better way to do this. How can I retain the thread ID that they're replying too?

allworknoplay 05-20-2009 08:28 PM
You know, I've read something about this with a possible solution, I can't recall right now what it was though. Hopefully someone else can chime in....

I'm sure there's a pretty easy solution....

Village Idiot 05-20-2009 09:55 PM
Always validate ANY sort of input. vB passes the thread number via GET data, it is still safe because you validate it. Validation would consist of you checking in the database if that user (who should also be authenticated) is indeed the owner of the post.

The rule of thumb is that if it is data from the client side, assume its hostile.

Wildhoney 05-20-2009 10:07 PM
I suppose the first question that springs to mind is why would anybody want to alter the POST ID of the thread they're replying to?

Of course, if they wanted to post a nonsensical response in a random thread, they'd navigate to that thread and post. So as long as you're checking if they have permission to post in that thread, and the thread is valid, where does the problem arise? And what does the so-called master hacker achieve?

h0ly lag 05-20-2009 10:12 PM
Of course, rule number one. Never trust user input. :)

So maybe something like this:
/reply.php?t=56

And all that 't' GET variable would be is the thread ID.

I guess just keep it simple. Just verify and filter the GET var and go with it. Yeah?

EDIT: After read Wildhoney's post, is it more advantageous to use GET or the hidden input field like I currently am? Does it even matter?

allworknoplay 05-20-2009 10:36 PM
Quote:
Originally Posted by h0ly lag (Post 24533)
Of course, rule number one. Never trust user input. :)

So maybe something like this:
/reply.php?t=56

And all that 't' GET variable would be is the thread ID.

I guess just keep it simple. Just verify and filter the GET var and go with it. Yeah?

EDIT: After read Wildhoney's post, is it more advantageous to use GET or the hidden input field like I currently am? Does it even matter?
I'm not sure it really matters all that much....

Wildhoney 05-20-2009 10:43 PM
Nor me. Don't trust the content.

So as long as:
  • It's an integer;
  • It's a valid thread;
  • User has permission to post in the valid thread

h0ly lag 05-20-2009 11:38 PM
Sounds good to me. Oh and is the is_numeric() function sufficient for this?

Village Idiot 05-21-2009 12:03 AM
Quote:
Originally Posted by h0ly lag (Post 24537)
Sounds good to me. Oh and is the is_numeric() function sufficient for this?
Yes


(10 char requirement).

allworknoplay 05-21-2009 12:04 AM
Quote:
Originally Posted by h0ly lag (Post 24537)
Sounds good to me. Oh and is the is_numeric() function sufficient for this?
Yeah that should work.

Wildhoney 05-21-2009 12:21 AM
There are ways to also attempt to force an integer. Such as if somebody put in 24a then you could, for instance, typecast that value using (int) and it'd become 24.

However, I wouldn't even bother attempting to purify it. If it's anything other than a number, I would assume they've been fiddling and deny the post.

php Code:
$iNumber = (int) '24a';
var_dump(is_numeric($iNumber)); // True 
 

allworknoplay 05-21-2009 12:35 AM
Quote:
Originally Posted by Wildhoney (Post 24540)
There are ways to also attempt to force an integer. Such as if somebody put in 24a then you could, for instance, typecast that value using (int) and it'd become 24.

However, I wouldn't even bother attempting to purify it. If it's anything other than a number, I would assume they've been fiddling and deny the post.

php Code:
$iNumber = (int) '24a';
var_dump(is_numeric($iNumber)); // True 
 

1) Shouldn't you be sleeping?


2)I thought var_dump and print_r were used for arrays? I guess you can use it for other things too?

Orc 05-21-2009 10:50 AM
Quote:
Originally Posted by allworknoplay (Post 24542)
1) Shouldn't you be sleeping?


2)I thought var_dump and print_r were used for arrays? I guess you can use it for other things too?
Mhm, I do it all the time with other data types.

Wildhoney 05-21-2009 01:27 PM
Sleeping? Yes, I should!

As for the var_dump. Nooo, I think that is for all data types. Well, that's what I use it for, anyway. I don't use it for arrays though, nor objects. For arrays I use print_r.


All times are GMT. The time now is 11:20 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0