| 1 | <?php |
|---|
| 2 | //Change these based on what user ids your registered users have. |
|---|
| 3 | $user_1_id = 1; |
|---|
| 4 | $user_2_id = 2; |
|---|
| 5 | |
|---|
| 6 | /** |
|---|
| 7 | * When we create an user, let's assume we attach a secret access key to his user ID, under the meta_key 'access_key'. |
|---|
| 8 | * |
|---|
| 9 | * We ask the user for this key every time he wants to do something. |
|---|
| 10 | */ |
|---|
| 11 | update_user_meta( $user_1_id, 'access_key', 'eiZurewj$ez24pP' ); |
|---|
| 12 | update_user_meta( $user_2_id, 'access_key', 'xcrpsokfoipu35oE' ); |
|---|
| 13 | |
|---|
| 14 | /** |
|---|
| 15 | * This is the key that he provides us. |
|---|
| 16 | */ |
|---|
| 17 | $secret_key_from_frontend = 'eiZurewj$ez24pP'; |
|---|
| 18 | |
|---|
| 19 | $all_users_ids = get_users([ |
|---|
| 20 | 'fields' => 'id', |
|---|
| 21 | 'meta_key' => 'access_key', |
|---|
| 22 | 'meta_compare' => '=', |
|---|
| 23 | 'meta_value' => $secret_key_from_frontend |
|---|
| 24 | ]); |
|---|
| 25 | |
|---|
| 26 | /** |
|---|
| 27 | * We loop through a supposedly safe & accurate list of users that match both the meta_key/value pair. |
|---|
| 28 | * It should be only give us '1'. |
|---|
| 29 | */ |
|---|
| 30 | echo "User ids that correspond to the correct secret key:"; |
|---|
| 31 | //Should only return 1. |
|---|
| 32 | foreach( $all_users_ids as $user_id ) { |
|---|
| 33 | echo $user_id; |
|---|
| 34 | echo " "; |
|---|
| 35 | |
|---|
| 36 | //Do some sensitive stuff with this, since we "know" the user has the secret key for a specific user id. |
|---|
| 37 | } |
|---|
| 38 | |
|---|
| 39 | echo "<br>"; |
|---|
| 40 | |
|---|
| 41 | /** |
|---|
| 42 | * So, let's go ahead and mess with it by making the meta_value empty. |
|---|
| 43 | */ |
|---|
| 44 | |
|---|
| 45 | $evil_key = ''; |
|---|
| 46 | |
|---|
| 47 | $evil_user_ids = get_users([ |
|---|
| 48 | 'fields' => 'id', |
|---|
| 49 | 'meta_key' => 'access_key', |
|---|
| 50 | 'meta_compare' => '=', |
|---|
| 51 | 'meta_value' => $evil_key |
|---|
| 52 | ]); |
|---|
| 53 | |
|---|
| 54 | echo "User ids that correspond to the evil, empty-space key:"; |
|---|
| 55 | //Returns 1,2... |
|---|
| 56 | foreach( $evil_user_ids as $evil_user_id ) { |
|---|
| 57 | echo $evil_user_id; |
|---|
| 58 | echo " "; |
|---|
| 59 | |
|---|
| 60 | //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users. |
|---|
| 61 | } |
|---|
| 62 | |
|---|
| 63 | |
|---|
| 64 | echo "However, let us see what happens when False is provided for the meta value."; |
|---|
| 65 | $proper_user_ids = get_users([ |
|---|
| 66 | 'fields' => 'id', |
|---|
| 67 | 'meta_key' => 'access_key', |
|---|
| 68 | 'meta_compare' => '=', |
|---|
| 69 | 'meta_value' => False |
|---|
| 70 | ]); |
|---|
| 71 | |
|---|
| 72 | echo "User ids that correspond to the evil, empty-space key:"; |
|---|
| 73 | //Returns nothing. |
|---|
| 74 | foreach( $proper_user_ids as $proper_user_id ) { |
|---|
| 75 | echo $proper_user_id; |
|---|
| 76 | echo " "; |
|---|
| 77 | |
|---|
| 78 | //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users. |
|---|
| 79 | } |
|---|
| 80 | |
|---|
| 81 | echo "Well, nothing, as it should, but, we are expecting that '' would achieve the same thing."; |
|---|