Hello all, On the main page of my website I have written a very simple comments feature that allows people to leave a message under my posts, much like a blog. I have purposely kept this very simple... On the main page I have simple text links that someone can click on if they want to leave a note. Clicking the link passes a variable $postid (a simple int) to the backend script, which tells the database which 'blog entry' the comment is attached to. The problem is that after playing around with this a bit, it is clear that someone can craft a url with an arbitrary $postid that is not in the database yet. Now naively, it would seem that the worst someone could do is just create arbitrary entries in the DB that may come back to bite me when I actually _use_ the arbitrary postid down the road. What I want to do is make sure that someone cannot create a post with a $postid value greater than the largest $postid I have used so far. Now, I thought about using a quick sql query to get the largest postid from the DB and check that, but this will not work because of my own bad DB design (I'm really just a hobbyist here...) in that if there are no comments attached to a blog entry, then the postid for that entry is _not_ in the DB until I get one. So, I guess my option is to either create another DB table with only the valid postid's in it and check that, or perhaps use a regexp to grab the highest postid from the html link (which would be the one closest to the top of the page). I really don't want to have to change the current DB table, or have to update one manually when I ad a new post on the main page. I guess my question is if there is an easier way to validate the postid value passed in the url. How would you do it? If you need more info, please just ask... Thanks, Darren Kirby -- darren kirby :: Part of the problem since 1976 :: http://badcomputer.org "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972
Attachment:
pgpXg4H40XCVL.pgp
Description: PGP signature
