On 11 August 2014 21:11:08 BST, Aziz Saleh <azizsaleh@xxxxxxxxx> wrote:
>On Mon, Aug 11, 2014 at 4:02 PM, dealTek <dealtek@xxxxxxxxx> wrote:
>
>> Hi all,
>>
>> Assuming the following:
>>
>>
>> - in your database you are using serial numeric ID's
>> - with php you do a search query to get a number of items - then you
>> display the results in a loop on a web page list view.
>> - then on each row you have an edit button for that item. Here, the
>link
>> is something like: editpage.php?id=<?php echo
>$record->getField('item_id');
>> ?>
>> - now when you click to the edit page - it will do another query to
>get
>> all the item details and display an edit form - etc.
>>
>>
>> Problem: In this case - anyone can simply change the url id=xxx to
>any
>> other number and it will make the page search for another item
>record.
>>
>>
>> Q: HOW can we lock this down so as to prevent the above scenario and
>it is
>> a more secure system?
>>
>> BTW: One method that we can use is to have a second field such as a
>random
>> number field in the table data - then search for both - which people
>will
>> have a hard time guessing like this link: editpage.php?id=<?php echo
>> $record->getField('item_id'); ?>&random=<?php echo
>> $record->getField('randomnum); ?>
>>
>> ANY BETTER SUGGESTIONS to lock things down?
>>
>>
>> --
>> Thanks,
>> Dave - DealTek
>> dealtek@xxxxxxxxx
>> [db-14]
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>Are those Id's owned (each user has a set of Ids) or accessible by all?
A guid generated as an md5 of the auto id and another field?
Thanks,
Ash
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
