Home/ Questions/Q 8740955
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T11:13:21+00:00

Suppose that I have below code: <?php $html = ‘ <form id=formA> <!– Form

  • 0

Suppose that I have below code:

<?php
    $html = ' 
        <form id="formA">
            <!-- Form for user another than admin goes here /--> ';

    if ($userrole == 'admin') {
        $html .= ' <!-- Form for admin goes here /--> ';
    }

    $html .= '
            <input type="submit" value="Submit" />
        </form> ';

    print $html;
?>

I think it’s bad to implement a hidden interfaces on our webpages, especially when you are trying to use $_GET[''] on that $userrole, because the attacker might try abusing the query string on the URL to see if there is any debugging template on the page.

I know it’s a bad implementation for developer, but I have no idea how to do that things securely. Any ideas? Thanks.

UPDATE 1

Is it just the same when I am trying to save the userrole information on a _SESSION and has the same checking part on the page like what I have mentioned above, which means, still has a hidden interfaces on the page?

UPDATE 2

Suppose I have these two tables:

tblUser

UserID    UserName    UserRole
 101       Abc         1
 102       Bcd         1
 103       Cde         2

tblRole

UserRole   RoleName    V    A    U    D
 1          Admin      1    1    1    1
 2          User       1    1    0    0

Note: V, A, U, D stand for VIEW, ADD, UPDATE and DELETE‘s authorization.

This code is to check the authorization of the user to View, Add, Update or Delete somethings on the page (seems it’s different from the first question mentioned above).

Then, suppose that I’ve already session saved since the first login (I omit the code for login and storing the session – UserID and UserRole). And what I want to do below is, check each of the authorization and check using if condition.

$V = checkauth($_SESSION['UserRole'], 1);
$A = checkauth($_SESSION['UserRole'], 2);
$U = checkauth($_SESSION['UserRole'], 3);
$D = checkauth($_SESSION['UserRole'], 4);

if($V == 1) { //Do something here }
if($A == 1) { //Do something here }
if($U == 1) { //Do something here }
if($D == 1) { //Do something here }

function checkauth($userRole, $mode) {
    $q = " SELECT V, A, U, D FROM tblRole WHERE UserRole = '" . $userRole . "' ";
    //I omit the connection code since it's not important here (not the topic)
    $fetch = mysqli_fetch_array($r);

    switch($mode) {
        case '1': return $fetch[0]; break;
        case '2': return $fetch[1]; break;
        case '3': return $fetch[2]; break;
        case '4': return $fetch[3]; break;
    }
}

Is the code is quite secure to implement on the webpage? Or there is something better than this? I’m sure there is… Need your ideas, guys! 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should store their access level in the database. Not in the query string, Not in a cookie, and Not in a session. When they go to the page, check against the database if they have the correct access and display the correct html if they do.

    • 0