Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- //Change these based on what user ids your registered users have.
- $user_1_id = 1;
- $user_2_id = 2;
- /**
- * When we create an user, let's assume we attach a secret access key to his user ID, under the meta_key 'access_key'.
- *
- * We ask the user for this key every time he wants to do something.
- */
- update_user_meta( $user_1_id, 'access_key', 'eiZurewj$ez24pP' );
- update_user_meta( $user_2_id, 'access_key', 'xcrpsokfoipu35oE' );
- /**
- * This is the key that he provides us.
- */
- $secret_key_from_frontend = 'eiZurewj$ez24pP';
- $all_users_ids = get_users([
- 'fields' => 'id',
- 'meta_key' => 'access_key',
- 'meta_compare' => '=',
- 'meta_value' => $secret_key_from_frontend
- ]);
- /**
- * We loop through a supposedly safe & accurate list of users that match both the meta_key/value pair.
- * It should be only give us '1'.
- */
- echo "User ids that correspond to the correct secret key:";
- //Should only return 1.
- foreach( $all_users_ids as $user_id ) {
- echo $user_id;
- echo " ";
- //Do some sensitive stuff with this, since we "know" the user has the secret key for a specific user id.
- }
- echo "<br>";
- /**
- * So, let's go ahead and mess with it by making the meta_value empty.
- */
- $evil_key = '';
- $evil_user_ids = get_users([
- 'fields' => 'id',
- 'meta_key' => 'access_key',
- 'meta_compare' => '=',
- 'meta_value' => $evil_key
- ]);
- echo "User ids that correspond to the evil, empty-space key:";
- //Returns 1,2...
- foreach( $evil_user_ids as $evil_user_id ) {
- echo $evil_user_id;
- echo " ";
- //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users.
- }
- echo "However, let us see what happens when False is provided for the meta value.";
- $proper_user_ids = get_users([
- 'fields' => 'id',
- 'meta_key' => 'access_key',
- 'meta_compare' => '=',
- 'meta_value' => False
- ]);
- echo "User ids that correspond to the evil, empty-space key:";
- //Returns nothing.
- foreach( $proper_user_ids as $proper_user_id ) {
- echo $proper_user_id;
- echo " ";
- //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users.
- }
- echo "Well, nothing, as it should, but, we are expecting that '' would achieve the same thing.";
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement