what is the most secure way to do this?

S

sales2010

Well-Known Member
Hello,

I need your advice about the following situation.

First, it's safe to use JRequest for prefilters? If not, how can i retrieve the information from url?

Second, what is the best way to secure a form in order to allow the Public group to edit the information (only two fields will be available for editing for public) but only for the users who are receiving a link with a token in their email address?

The token contain 50 random characters, i can increase the length to a bigger value;

the link sent into email will look like this:

Code: 
http://www.mywebsite.com/index.php?option=com_fabrik&view=form&formid=16&listid=16&rowid=16&token=BTfnfADpJrthic4r8d8LbcL07HfsVm29hP20m6zQMCNGjwXre7

I use two prefilters in order to keep the info available only for the users that are receiving this email. The prefilters are the following, applied to the Public group:

Code: 
$token =JRequest::getVar('token');
return $token;
 
$id = JRequest::getVar('rowid');
return $id;

Thank you
 
First, it's safe to use JRequest for prefilters? If not, how can i retrieve the information from url?
Click to expand...
Well JRequest is deprecated in Joomla, instead you should use:

PHP: 
$app = JFactory::getApplication();
$token = $app->input->get('token');

There are sevaral 'get' methods, getInt(), getString() etc get() is the same as getCmd() which allows through only certain characters (no spaces for example) So in your example I think get() is correct.

Then you need to define what 'safe' means? Do you know what value you are expecting, e.g. a number, a string with only a-b|0-9 in it etc. What will the value then be used for? If its in a db query then you should always either cast to an integer or use $db->quote() to ensure that your query is not open to attack.
Second, what is the best way to secure a form in order to allow the Public group to edit the information (only two fields will be available for editing for public) but only for the users who are receiving a link with a token in their email address?
Click to expand...
I would store the valid tokens in a db table, then look up the token when you load the form, say in a form php plugin - on before load.

PHP: 
$app = JFactory::getApplication();
$token = $app->input->get('token');
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select('COUNT(*)')->from('tokens')->where('token = ' . $db->quote($token));
$db->setQuery($query);
$found = $db->loadResult();
 
if ($found == 0)
{
  throw new RunTimeException('You do not have a valid token');
  return false;
}

return true;
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 214 (members: 2, guests: 212)
    Back
    Top