Testing the Security of Your Website – Part 3

Data Manipulation

Some programmers trust that users will access a webpage the way the developer intended. What if the user tries to manipulate and change variables? What will happen? This is something you must test on your website.

This subject is better explained through examples. Let’s say you have an online store where the user can see his order through a link such as http://www.yoursite.com/orders.php?id=12345. What happens if the user tries to change his order number to a different number on the URL? Will he be able to see orders posted by other clients? In a well-designed script, the user will only be able to see his own orders, and give an error message if the user tries to manually manipulate the variable.

On another example, let’s say you have a website with a link such as http://www.yoursite.com/article.php?id=12345, which we assume displays article number 12345 from your database. What happens if the user tries to change the variable to a number of an article that does not exist? On a well-designed script, it will display an error message, whereas on a poorly designed script the page will be displayed with the text missing, which is not desirable.

And what happens if the user tries to manipulate the variable in a more drastic way? That is our next subject.

Author: Gabriel Torres

Gabriel Torres is a Brazilian best-selling ICT expert, with 24 books published. He started his online career in 1996, when he launched Clube do Hardware, which is one of the oldest and largest websites about technology in Brazil. He created Hardware Secrets in 1999 to expand his knowledge outside his home country.

Share This Post On
Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our website.

You have been added to our newsletter!