Re: Passing URL parameters, how to hide

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Okay, I can make that change.

Stuart
--- Bastien Koert <bastien_k@xxxxxxxxxxx> wrote:

> 
> No, No, NO!
> 
> The user id should not be in the hidden elements in
> the form.
> 
> You need to store that in a session variable for the
> duration of that user's 
> session. Otherwise they can try to hack by changing
> the combination until 
> they hit another valid record.
> 
> Bastien
> 
> >From: Stuart Felenstein <stuart4m@xxxxxxxxx>
> >To: John Holmes <holmes072000@xxxxxxxxxxx>
> >CC: php-db@xxxxxxxxxxxxx
> >Subject: Re:  Passing URL parameters, how
> to hide
> >Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)
> >
> >Nope, can't get to any other record.  One would
> have
> >to match both userid and recordID to get a hit.
> >Perhaps now I should put this into a form and send
> it
> >via hidden fields , for another layer of
> protection.
> >
> >Stuart
> >
> >
> >--- John Holmes <holmes072000@xxxxxxxxxxx> wrote:
> >
> > > From: "Stuart Felenstein" <stuart4m@xxxxxxxxx>
> > >
> > > > So what I did was this statement: SELECT *
> FROM
> > > Table
> > > > WHERE RecordID = blue and UserID = red
> > > > blue is the variable for the recordID
> > > > red is the variable for the userID
> > > >
> > > > So now when I change either of those variables
> in
> > > URL
> > > > no record is returned.
> > > >
> > > > Did I finally get this right ?
> > >
> > > You tell us; can you get to any other record?
> Sounds
> > > like you're heading in
> > > the right direction, though...
> > >
> > > ---John Holmes...
> > >
> > >
> >
> >--
> >PHP Database Mailing List (http://www.php.net/)
> >To unsubscribe, visit: http://www.php.net/unsub.php
> >
> 
>
_________________________________________________________________
> Powerful Parental Controls Let your child discover
> the best the Internet has 
> to offer. 
>
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
> 
>   Start enjoying all the benefits of MSN® Premium
> right now and get the 
> first two months FREE*.
> 
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux