UPDATE:
I added that CSRF protection, as Berdir told me, using the link below to get my application working again. However .. I'm not quite sure what I did right now: D How will this make my application more secure? I am particularly concerned about the fact that now I get a cookie value in my ajax code because I need to pass it using my ajax call .. otherwise it just doesn't work. Doesn't this provide some important cookie information? Or I'm just paranoid. Thanks!
http://aymsystems.com/ajax-csrf-protection-codeigniter-20
// old Hello.
In this web application that I am creating, I have the functionality to add โtips and tricksโ on specific topics. These pages can only be added by accounts with the administrator role. However, I also want to delete these pages. (Always convenient, right). Since I use CodeIgniter, I thought about just creating a controller function that takes an identifier and passes that model identifier, where the page matching that identifier will be deleted from the database.
Just to make it clear:
Controller:
public function del_content($id) { $this->content_model->del_content($id) }
Model:
public function del_content($id) {
It's all very simple, but I'm afraid it might be too simple. This is actually not so good for me, is it? Since you can call the function from the address bar of the URL in your browser, you can basically delete the entire table that is contained. (Since you will be doing http://mywebsite/controller/del_content/3 for the item with ID 3). Of course, only administrator accounts will have access to this feature, but still ..
I had never programmed anything like this before, and therefore I never thought about the security measures that I should take in this case. Will someone be kind enough to give me some things that I should pay attention to, and maybe some ideas, suggestions, how to make this safer?
Thanks a lot!
source share