-2

I'm working on an application where I have a web interface for a screen on my wall, and the goal is to allow my friends to upload images to it.

Right now I have a basic web interface with a login, which authenticates a session and has a page which allows uploading an image and changing some of the parameters of the screen. The parameters are stored in a MySQL database, as well as the login details. This part I've heavily based off the approach detailed in this link: https://phppot.com/php/secure-remember-me-for-login-using-php-session-and-cookies/

Ideally I can allow my friends to upload images to this screen in a secure way that is as simple as possible. What I am imagining is a unique URL link that can be sent to them, which takes them to a page where they can upload an image but do not have access to change any of the screen parameters and so on. This URL would allow anyone who has it to upload pictures, but I want the owner of the screen to also be able to deactivate the URL if it is no longer secure. The owner could ideally generate a number of URLs that they could share with different people, which would all upload to the same screen.

My question is firstly, is this a good approach and is there a way to do this securely (without opening access to the screen parameters and so on)? I would prefer to avoid giving these "guest" users login details, as that is one more account to remember and reduces the simplicity of uploading to the screen.

My next question would be how to do it? My current idea is to have a new database with columns for the screen ID (to allow it to work when I have multiple screens) and link URL. The screen owner would generate some kind of random string as the URL and save it to the database. The "guest" upload page would only allow uploads if the redirected URL is found in the database. Right now I'm looking at affiliate link examples to get ideas on how to implement this, but if anyone has better suggestions of what to search for or other examples it would help a lot.

I'm very new to web development so I'm not sure if I'm describing my approach clear enough or if my goal even makes sense. I'm also very uncertain of any possible security issues I may be introducing with this approach, so anyone has suggestions or possible pitfalls please let me know. I don't know how much I don't know.

C.Dowd
  • 1
  • 1
  • does it need to be NSA secure? A novelty script like this could get away with https://hashids.org/ i.e turn the user id or screen id into a hash (of any length), so when a user signs up or you create a screen you assign a db id like normal, then use the id(s) in a hashid, then upon going to the url decode the hash to get the id(s) – Lawrence Cherone Mar 08 '21 at 00:01
  • Yes that could work. I think I will generate fully random ids in the URL though and use that to check against a database, it seems about the same amount of work. – C.Dowd Mar 09 '21 at 21:52

1 Answers1

0

You can use Tokens : generating tokens with php

You generate an URL with the token inside then send it to your friends: www.myULR/token

After, you create a table token with all tokens with a jointure with user's id, and you should easily verify with PHP, if tokens exist and user is not an impostor, allow him to upload files.

Marshe78
  • 23
  • 6
  • Thanks for the tip, I just looked up tokens and while I'm not fully sure if I understand it completely it sounds like the thing I was looking for. Right now I am generating a random string to use in the URL as the "token", passing it as a "GET" variable and checking it in a database of guests. If the token is in the database, then the screen's ID and other information necessary for the upload is loaded in a session from another database and the page redirects to an upload form. There's no way with this that 3rd parties could upload images without the token string right? – C.Dowd Mar 09 '21 at 21:56