Security Questions
Posted: Fri Feb 21, 2020 10:30 pm
Hi there,
I am just wondering if anyone more experienced than me with security knows if there are any security concerns with:
1 ) Controller - account.php, assigning customer to be 0 by default. But if a customer has purchased product x then give them a different value, 1 = premium customer.
Are hackers able to change values / modify values in the php? Changing themselves from a 0 to a 1 for example?
Should these values be assigned only in the database and then called to controller through functions?
2) Adding parameters onto the url for example /Desktop?x:
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
And checking "if REQUEST_URI contains x then ...."
Can a hacker place something like Desktop?<script>... or something like that into the url and that be used in the php when checking what the actual_link is?
When I test it, < is replaced with other characters by default with Opencart.
Any advice of the above would be great!
Thanks,
Scott
I am just wondering if anyone more experienced than me with security knows if there are any security concerns with:
1 ) Controller - account.php, assigning customer to be 0 by default. But if a customer has purchased product x then give them a different value, 1 = premium customer.
Are hackers able to change values / modify values in the php? Changing themselves from a 0 to a 1 for example?
Should these values be assigned only in the database and then called to controller through functions?
2) Adding parameters onto the url for example /Desktop?x:
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
And checking "if REQUEST_URI contains x then ...."
Can a hacker place something like Desktop?<script>... or something like that into the url and that be used in the php when checking what the actual_link is?
When I test it, < is replaced with other characters by default with Opencart.
Any advice of the above would be great!
Thanks,
Scott
