See response interspersed: --- Bastien Koert <bastien_k@xxxxxxxxxxx> wrote: > To be entirely honest, there is no real reason not > to use the url to pass data, IF the data is not > sensitive. For sensitive data, sessions are the > best thing to use. HIdden fields are good only to > keep the users from accidently changing the id to > something. For whatever reason I can not use session only here. It does not return the correct record from the table. Maybe that doesn't make anysense. In the listing of recods where the user would click to go update, there is a repeat region SQL statement that shows all records from table under session ID. e.g. Record_Table recordID userID info1name info1details 1 3 somename sos 2 4 somename sos 3 3 somename sos 4 4 somename sos 5 3 somename sos 6 5 somename sos > This doesn't negate the need to validate the > incoming data, ALL incoming data needs to be > validated and exceptions need to be > handled. So if the user changes the id number to > something else, then a message should appear saying > 'no record found' This sounds fine and from what I've seen the common method. So what form of validation does one use to do this ? > A better approach to securing sensitive data is to > use the database and to develop a system whereby > usiers can only access their own limited data. > There is a little more data involved here (like > storing a user_id with the row) See above, user_id is stored in row > This user_id can then be associated with users record > (profile) and that profile could be used to determine > whether the user can view/edit/access the particular > record. The user's profile is stored in a > session (or it could be validated every time there > is db interaction) and those values determine exactly > which records the user can do anything with. > You can build profiles that could llimit the access > to data belonging to a > particular group of users, a particular region of > the country or to a single > location, depending on the structure of the compnay > and the desired goals of > the system. In my system, users cant' just change data anywhere. The are forms to insert in particular tables, and update forms when the need to change info arises. I am not sure that what you speak about here is practicle or necessary for this application > Stuart > > Bastien Koert > > > > >From: M Saleh EG <m.saleh.eg@xxxxxxxxx> > >Reply-To: M Saleh EG <m.saleh.eg@xxxxxxxxx> > >To: Stuart Felenstein <stuart4m@xxxxxxxxx> > >CC: Jasper Howard <jasper@xxxxxxxxxxxxx>, > php-db@xxxxxxxxxxxxx > >Subject: Re: Passing URL parameters, how > to hide > >Date: Tue, 21 Sep 2004 15:19:32 +0400 > > > >1-So I'm going to ask, how does PHP stop a URL from > >being changed ? Are there specific functions that > >block that type of activity ? > > > >I said :" I personaly dont recommand using url > parameters for > > passing record ids, i'd rather use hidden inputs, > > sessions, or even cookies but never URI > >querystrings for record ids. " > > > >2-Stuart Felenstein askes : "Can you explain a bit > further how an hidden > >input > >might work ?" > > > >I'll answer ur first question here. The addresses > on the browsers are > >in control of the users. you cant control that. > wat's on the client > >side is only controlled by the client which is the > browser. So u cant > >stop changing the address,( the work around is > using a popup that > >wouldnt show the address but still a person with > abit of knowledge > >would figure out openning a new window hisself n > entering the address > >so it aint practical). Instead you can validate the > ID that is comming > >from the URI. How's that? alright, Your check the > ID weather with > >encryption or not if it matches with the ID of the > user logged in show > >the form if not that's it show the error page. > > > >Ur 2nd question.. Okay .. how would u use the > hidden inputs? with > >hidden inputs.. I mean the form hidden elements > (<input type="hidden" > >name="id" value="recordID" />) so instead of having > hyperlinks > >pointing to the form page use a form with submit > btns that post the > >hidden id to the page that shows the user forms. > That is by fetching > >the recordID by post. > > > >Hope it's useful. > > > > > >On Tue, 21 Sep 2004 01:20:42 -0700 (PDT), Stuart > Felenstein > ><stuart4m@xxxxxxxxx> wrote: > > > See my response interspersed: > > > > > > --- M Saleh EG <m.saleh.eg@xxxxxxxxx> wrote: > > > > > > > You should always avoid passing Record IDs > through > > > > URL parameters. > > > > Use form Hidden fields instead! > > > > > > I agree. Even as someone with limited > experience. > > > That is why I'm trying to figure out the right > way to > > > do it. The record ID is hidden in form itself. > > > The way to get to the update form for that > record is > > > via a hyperlink. I'm not sure how to get the > user to > > > the update form without the hyperlink or how to > hide > > > the id part of the url parameter in the link. > > > > > > > In your case, when ur selecting the users form > data > > > > from the record check if it's the same user if > not > > > > then if he tries to change the ID from the URI > > > > Parameter just block it. > > > > > > Yes, I think this is the way to go. And I'm > halfway > > > there, in that , if someone changed the id and > brought > > > up another users record, and they attempted to > make > > > changes the update would fail. > > > > > > So I'm going to ask, how does PHP stop a URL > from > > > being changed ? Are there specific functions > that > > > block that type of activity ? > > > > > > > I personaly dont recommand using url > parameters for > > > > passing record ids, i'd rather use hidden > inputs, > > > > sessions, or even cookies but never URI > > > querystrings > for record ids. > > > > > > Can you explain a bit further how an hidden > input > > > might work ? > > > > > > > Better use of URI querystrings would be for > logic, > > > > section, category, > > > > decision, options rather than important data > such as > > > > ur table primary > > > > keys! > > > > > > Agreed! > > > > > > > > > > > Hope this is useful. > > > > > > Very useful, thank you! > > > > > > Stuart > === message truncated === -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php