php – Deletion Protection


On my site, there is a link with GET parameters ?interface-admin=1&del-id=1 if you click on it, the admin will be deleted.

So, I put it all in img

<img src="http://localhost/dashboard/sait/?interface-admin=1&del-id=1">

and if this image is uploaded, then the admin will be deleted.

How to be here so that the request is not forged? Store everything in text files?


Classic CSRF vulnerability.

First: don't delete or change anything with a GET request. GET requests should only be read, the standard assumes that they do not change the state of the system, therefore they are safe and can be performed multiple times. Sometimes even without the knowledge of the user, for example, to load the next page in the background. Use POST requests to change the state.

The only exception is when you really need a GET request. For example, for the "unsubscribe" link in the newsletter or others, where you understand what you are doing and why.

Secondly, it is also not difficult to ask the browser to execute a simple POST request when entering a specially designed page without the user's knowledge (in particular, as a result of an XSS attack). Data-modifying requests must be protected by a security token, which must be passed along with the request.

Scroll to Top