"dealTek" wrote in message
news:85277E2B-52F7-4ACA-903E-45D8CA44DC36@xxxxxxxxx...
Hi all,
Assuming the following:
- in your database you are using serial numeric ID's
- with php you do a search query to get a number of items - then you
display the results in a loop on a web page list view.
- then on each row you have an edit button for that item. Here, the link is
something like: editpage.php?id=<?php echo $record->getField('item_id'); ?>
- now when you click to the edit page - it will do another query to get all
the item details and display an edit form - etc.
Problem: In this case - anyone can simply change the url id=xxx to any
other number and it will make the page search for another item record.
Q: HOW can we lock this down so as to prevent the above scenario and it is
a more secure system?
BTW: One method that we can use is to have a second field such as a random
number field in the table data - then search for both - which people will
have a hard time guessing like this link: editpage.php?id=<?php echo
$record->getField('item_id'); ?>&random=<?php echo
$record->getField('randomnum); ?>
ANY BETTER SUGGESTIONS to lock things down?
--
Thanks,
Dave - DealTek
dealtek@xxxxxxxxx
[db-14]
My solution is not simple, but it's bulletproof.
(1) In the list/browse screen I store an array of primary keys which is
indexed by the row number in the current screen.
(2) This array is stored in the session data.
(3) The hyperlink contains the index number to the array, not the primary
key.
(4) When the hyperlink is used the scrip which is run accesses the array to
convert the index number to a primary key.
This means that I *NEVER* expose any primary key values in any URLs.
--
Tony Marston
www dot tonymarston.net
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
