Okay, I can make that change. Stuart --- Bastien Koert <bastien_k@xxxxxxxxxxx> wrote: > > No, No, NO! > > The user id should not be in the hidden elements in > the form. > > You need to store that in a session variable for the > duration of that user's > session. Otherwise they can try to hack by changing > the combination until > they hit another valid record. > > Bastien > > >From: Stuart Felenstein <stuart4m@xxxxxxxxx> > >To: John Holmes <holmes072000@xxxxxxxxxxx> > >CC: php-db@xxxxxxxxxxxxx > >Subject: Re: Passing URL parameters, how > to hide > >Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT) > > > >Nope, can't get to any other record. One would > have > >to match both userid and recordID to get a hit. > >Perhaps now I should put this into a form and send > it > >via hidden fields , for another layer of > protection. > > > >Stuart > > > > > >--- John Holmes <holmes072000@xxxxxxxxxxx> wrote: > > > > > From: "Stuart Felenstein" <stuart4m@xxxxxxxxx> > > > > > > > So what I did was this statement: SELECT * > FROM > > > Table > > > > WHERE RecordID = blue and UserID = red > > > > blue is the variable for the recordID > > > > red is the variable for the userID > > > > > > > > So now when I change either of those variables > in > > > URL > > > > no record is returned. > > > > > > > > Did I finally get this right ? > > > > > > You tell us; can you get to any other record? > Sounds > > > like you're heading in > > > the right direction, though... > > > > > > ---John Holmes... > > > > > > > > > >-- > >PHP Database Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php > > > > _________________________________________________________________ > Powerful Parental Controls Let your child discover > the best the Internet has > to offer. > http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines > > Start enjoying all the benefits of MSN® Premium > right now and get the > first two months FREE*. > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
