Re: Passing URL parameters, how to hide

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



See my response interspersed:

--- M Saleh EG <m.saleh.eg@xxxxxxxxx> wrote:

> You should always avoid passing Record IDs through
> URL parameters.
> Use form Hidden fields instead!

I agree.  Even as someone with limited experience. 
That is why I'm trying to figure out the right way to
do it.  The record ID is hidden in form itself.  
The way to get to the update form for that record is
via a hyperlink. I'm not sure how to get the user to
the update form without the hyperlink or how to hide
the id part of the url parameter in the link.

> In your case, when ur selecting the users form data
> from the record check if it's the same user if not 
> then if he tries to change the ID from the URI      
> Parameter just block it. 

Yes, I think this is the way to go.  And I'm halfway
there, in that , if someone changed the id and brought
up another users record, and they attempted to make
changes the update would fail. 

So I'm going to ask, how does PHP stop a URL from
being changed ?  Are there specific functions that
block that type of activity ? 

> I personaly dont recommand using url parameters for
> passing record ids, i'd rather use hidden inputs, 
> sessions, or even  cookies but never URI
querystrings > for record ids.

Can you explain a bit further how an hidden input
might work ?
 
> Better use of URI querystrings would be for logic,
> section, category,
> decision, options rather than important data such as
> ur table primary
> keys!

Agreed!

> 
> Hope this is useful.

Very useful, thank you!

Stuart
> 
> 
> On Mon, 20 Sep 2004 15:32:07 -0700, Jasper Howard
> <jasper@xxxxxxxxxxxxx> wrote:
> > When I created a business management script for
> the business I work for, it
> > was important that ids in url's were encrypted.
> What I did was create a code
> > for each item that needed one. My encryption table
> fields looked something
> > like: enc_id, encryption, table, id where enc_id
> was the unique identifier
> > in this table, encryption was the 14 character
> code, table was the table
> > that the encrypted data was stored in, and id was
> the id of the encrypted
> > data. That was you can pass the 14 digit code in
> the html, then when you
> > need to use it in a php script you can just make a
> function that returns the
> > data from the database from the encryption code.
> For extra security (since
> > someone could just remember the encryption code) I
> added a cron job script
> > that changed the encryptions every midnight. If
> anyone thinks something like
> > this would work for them, some thing to remember
> is that you need to make
> > sure that when you add an item to the encryption
> table in the db that each
> > code is unique.
> > 
> > --
> > 
> >
>
-------------------------------------------------------------->>
> > Jasper Howard :: Database Administration
> > ApexEleven Web Design
> > 1.530.559.0107
> > http://www.ApexEleven.com/
> >
>
<<--------------------------------------------------------------
> > "Stuart Felenstein" <stuart4m@xxxxxxxxx> wrote in
> message
> >
>
news:20040920221627.4201.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > 
> > 
> > > I'm restarting this post.  I thought I was out
> of the
> > > woods, but not.
> > > Here situation, in most of my update forms which
> > > involve 1 record, passing a session variable ,
> usually
> > > the users ID is enough. No URL param passing.
> > >
> > > Not so in two update forms I have where there
> are
> > > multiple records for each user.  If I pass a
> session
> > > variable it only brings up the first record.  So
> > > unless I am missing something, I must pass the
> record
> > > ID via a URL parameter.  That works just great,
> but
> > > the problems lies in the fact, that all anyone
> would
> > > need to do is change recordID=1 to recordID=2
> and they
> > > can see someone elses record, which is supposed
> to
> > > confidential.
> > >
> > > Now I've looked at sights like Monster, Amazon,
> Ebay,
> > > and tried changing the recordID in the URL area,
> but
> > > it either ignores my change or kicked back an
> invalid
> > > ID.
> > > This is even if I remove the other ID's from the
> line.
> > >
> > >
> > > So, I'm sure this has been dealt with more, I
> don't
> > > have the foggiest clue yet though how I can
> implement
> > > something that either hides, or prevents a user
> from
> > > going through records in the database by
> changing the
> > > id number.
> > >
> > > Appreciate any suggestions or ideas.
> > >
> > > Thank you,
> > > Stuart
> > >
> > >
> > >
> > >
> > >
> > > --- Stuart Felenstein <stuart4m@xxxxxxxxx>
> wrote:
> > >
> > > > Turned out "hiding" the id wasn't necessary as
> the
> > > > awaiting update page can grab the session ID.
> > > > I wasn't thinking. Sorry
> > > > Stuart
> > > > --- John Holmes <holmes072000@xxxxxxxxxxx>
> wrote:
> > > >
> > > > > Stuart Felenstein wrote:
> > > > > > I'm still confused over one aspect of URL
> > > > > parameters.
> > > > > > As far as a form passing data back to the
> > > > server,
> > > > > I
> > > > > > understand about get, post and replace.
> > > > > >
> > > > > > Here is my problem.
> > > > > > I have an update form.  User is logged in
> to the
> > > > > > system and needs to update whatever
> information.
> > > > > > Right now I'm including in the link the
> user's
> > > > ID,
> > > > > so
> > > > > > when they arrive at the update page, their
> > > > record
> > > > > will
> > > > > > be displayed.
> > > > > > The problem is all one has to do is change
> the
> > > > ID
> > > > > > number in the URL parameter in the update
> page
> > > > and
> > > > > you
> > > > > > can go to someone else's record.
> > > > > >
> > > > > > How do programmers generally get around
> this ? I
> > > > > must
> > > > > > be missing something.
> > > > >
> > > > > How do you identify the user once they are
> logged
> > > > > in? There should be
> > > > > some way to relate the logged in user to
> valid
> > > > > records they can see.
> > > > > Then, if they request an invalid record, you
> can
> > > > > show them an error
> > > > > page. Hiding the ID isn't going to fix
> anything.
> > > > >
> > > > > --
> > > > >
> > > > > ---John Holmes...
> > > > >
> > > > > Amazon Wishlist:
> > > > > www.amazon.com/o/registry/3BEXC84AB3A5E/
> > > > >
> > > > > php|architect: The Magazine for PHP
> Professionals
> > > > -
> > > > > www.phparch.com
> 
=== message truncated ===

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux