No, No, NO!
The user id should not be in the hidden elements in the form.
You need to store that in a session variable for the duration of that user's session. Otherwise they can try to hack by changing the combination until they hit another valid record.
Bastien
From: Stuart Felenstein <stuart4m@xxxxxxxxx> To: John Holmes <holmes072000@xxxxxxxxxxx> CC: php-db@xxxxxxxxxxxxx Subject: Re: Passing URL parameters, how to hide Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)
Nope, can't get to any other record. One would have to match both userid and recordID to get a hit. Perhaps now I should put this into a form and send it via hidden fields , for another layer of protection.
Stuart
--- John Holmes <holmes072000@xxxxxxxxxxx> wrote:
> From: "Stuart Felenstein" <stuart4m@xxxxxxxxx> > > > So what I did was this statement: SELECT * FROM > Table > > WHERE RecordID = blue and UserID = red > > blue is the variable for the recordID > > red is the variable for the userID > > > > So now when I change either of those variables in > URL > > no record is returned. > > > > Did I finally get this right ? > > You tell us; can you get to any other record? Sounds > like you're heading in > the right direction, though... > > ---John Holmes... > >
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
