I want to make a secure link

Question

i want to make a code generator link,like

www.website.com/register?code=29U3HTR3H219URH923UH419H94RH1298491U2HERUH1?plan_bought=LowReseller

in a functions file on php that is redirecting an user on that link.

$planned = htmlspecialchars($_GET["planbought"]);
// connect to database
$db = mysqli_connect('localhost', 'root', 'pass');
mysqli_select_db($db,"ronp");


function generateRandomString($length = 16)
{
    $pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

    return substr(str_shuffle(str_repeat($pool, $length)), 0, $length);
}

$code_secure = generateRandomString(17);  // OR: generateRandomString(24)

$query = "INSERT INTO codes (code, expired, 'date', plan) 
                      VALUES('$code_secure', '0', date, '$planned')";
mysqli_query($db, $query);

header('Location: register?code=', $code_secure);
?>

Process: After payment,paypal will redirect user on https://website.com/functions_generate-ak9esysgenthos.php?planbought=Low

That link will create a code in database,and will redirect user on https://website.com/register?code_secure=(code)

Now the problem is,i get redirected on "https://website.com/register?code=",not "https://website.com/register?code=(the code created in database,like 'J2498JT9UJ249UTJ293UJ59U123J9RU9U')"

*"I want to make a secure link"* Don't go even live this code then as (blind) SQL injection is a thing in INSERT also — Raymond Nijland, Nov 07 '19 at 10:36
I dont know what url you are exactly passing to paypal but in the url above you are using `?` as a seperator for your query params but it has to be `&` like `?foo=bar&bar=foo` — Code Spirit, Nov 07 '19 at 10:36
*"I will make a system to stop sql injection"* System to stop SQL injections? What do you mean? I hope you simply meant i will use prepared statements with that comment.. — Raymond Nijland, Nov 07 '19 at 10:38
One parameter = blahblah.com/test?variable=value 2 parameters = blahblah.com/test?variable=value&variable2=value2 — Top Kenzo, Nov 07 '19 at 10:39

Tom Udding · Answer 1 · 2019-11-07T10:46:44.760

1

If you look at the documentation for header() you'll see that the second parameter is a boolean value. This parameter specifies if the header should be "forcefully" be replaced. You are incorrectly passing your "secure"* code as that parameter.

What you want to do is concatenate the strings instead of passing your "secure" code as a second parameter. What you want to get is

header('Location: register?code=' . $code_secure);

*The "secure" code you are generating is predictable (as you used this code), if you need a secure code you might want to look into openssl_random_pseudo_bytes before PHP 7.0 and random_bytes() in PHP 7.0 or higher, as demonstrated by this answer.

Furthermore, as mentioned by Raymond Nijland your code is vulnerable to SQL injections. See this excellent answer on how you can prevent SQL injections.

edited Nov 07 '19 at 10:46

answered Nov 07 '19 at 10:38

Tom Udding

2,154
3
19
26

@RaymondNijland I meant to copy the link to the answer below that, which correctly uses `openssl_random_pseudo_bytes()`/`random_bytes()`. Thanks for letting me know! – Tom Udding Nov 07 '19 at 10:42
Well PHP 7 has `random_int()` and `random_bytes()` which also are cryptographically secure indeed.. – Raymond Nijland Nov 07 '19 at 10:45
@RaymondNijland I already updated my answer to include those :) – Tom Udding Nov 07 '19 at 10:45
Same problem,i enter on "https://imgur.com/fm66rY4" (that will be used by paypal on finish of transaction) – Top Kenzo Nov 07 '19 at 10:48
1

@TopKenzo I'd recommend you remove the credentials from your last comment. Regarding your previous comments, can you enable error reporting and make sure that nothing bad happens before you set the headers? – Tom Udding Nov 07 '19 at 10:52

score 0 · Answer 2 · answered Nov 07 '19 at 11:40

Besides the issues mentioned in Tom Udding's answer, there are at least two other issues:

functions_generate-ak9esysgenthos.php can be accessed without any authentication at all. Moreover, it generates a "secure code" blindly, without determining whether a user is logged in or otherwise authorized to access that page (e.g., without determining whether a payment operation is in progress). This could allow anyone with knowledge of the URL to access functions_generate-ak9esysgenthos.php; depending on how your application is implemented, this could cause orders that weren't paid for or even a denial of service attack (due to the additional order codes clogging your database).
You are generating a random "secure code" without checking whether that code was already used. What if /register?code=... finds two records with the same code? Can your application tolerate the risk of generating the same code for different records? (See also my section on unique random identifiers.)

I want to redirect to register page,you don't need to login,it will generate a code,after will let you to register — Top Kenzo, Nov 07 '19 at 12:35

I want to make a secure link

2 Answers2