0

Is href='example.php?id="<?= $row['id'] ?>"' safe in the code below? if not can you tell me why and how to make it secure? 

<a class='btn btn-sm' href='example.php?id="<?= $row['id'] ?>"' role='button' data-toggle='modal' data-target='.bs-example-modal-lg'>View</a>

Edit:

Here's why the question above triggered in my head. I'm seeing the database ID just the way it is on the browser bottom on mouse hover!

enter image description here

Mohan Wijesena
  • 225
  • 1
  • 3
  • 11
  • is there you need to encryption for secure link or need http or https link for anchor tag? – bharat Jan 27 '18 at 07:08
  • please clarify your concern of SAFE, it will be helpful to answer – Gunnrryy Jan 27 '18 at 07:10
  • @Gunnrryy May be the edit in the question gives you clarity! – Mohan Wijesena Jan 27 '18 at 07:17
  • oh so you do not want to expose the DB id, well in this case, have an extra unique column and use that, and by doing so you would have to change the view logic to be fetched from the value of unique column rather than id column. – Gunnrryy Jan 27 '18 at 07:20
  • then again, is it (exposing DB id) really posing any danger to your application logic ? – Gunnrryy Jan 27 '18 at 07:21
  • @Gunnrryy well your earlier comment make sense however does it still stops user seeing the whatever the unique column content? I'm not sure is exposing this has a vulnerability attached, which is what am also looking for an answer here! ;) – Mohan Wijesena Jan 27 '18 at 07:25
  • if it does not have any danger to your logic in terms of manipulation / injection.. feel free to use it. just a note, why the double quotes around id ? – Gunnrryy Jan 27 '18 at 07:27
  • 1
    yes, the unique column will be random string, so it will prevent users from bruteforcing and see whatever is stored. the other suggestion is, impose ACL and RBAC to prevent unwanted uses from accessing items/urls – Gunnrryy Jan 27 '18 at 07:29

2 Answers2

1

In your code any important bug but I assume the short tag is activated but better is you use full tag here :

<a class='btn btn-sm' href='example.php?id="<?php echo $row['id'] ?>"' role='button' data-toggle='modal' data-target='.bs-example-modal-lg'>View</a>

This is better choose and the must important server side code to load example by id can be vulnerable.

A1Gard
  • 4,070
  • 4
  • 31
  • 55
  • Are you suggesting using the short tag creates a vulnerability? [Look here](https://stackoverflow.com/questions/2020445/what-does-mean-in-php) . It's built in to PHP! – Mohan Wijesena Jan 27 '18 at 07:22
  • @MohanWijesena when the `short_open_tag` is of short hand tags not working and the rendered page show your code exactly. – A1Gard Jan 27 '18 at 07:32
0

No need for quotes, you need to remove them :

<a class='btn btn-sm' href='example.php?id=<?= $row['id'] ?>' role='button' data-toggle='modal' data-target='.bs-example-modal-lg'>View</a>

Better to use PHPs sprintf or something like that for readability:

echo sprintf("<a class='btn btn-sm' href='example.php?id=%d' role='button' data-toggle='modal' data-target='.bs-example-modal-lg'>View</a>",
$row['id']
);

%d - says that it is an integer.

Muhammed
  • 1,592
  • 1
  • 10
  • 18
  • please read and understand the question and concern. simply removing quotes or code with something else would be of no use – Gunnrryy Jan 27 '18 at 08:30