From: "Stuart Felenstein" <[EMAIL PROTECTED]>
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
You should always avoid passing Record IDs through
URL parameters.
Use form Hidden fields instead!

Hidden form fields are still passed in the URL unless you're using a POST method for your form. It doesn't matter if the ID is passed in the URL or hidden in POST data, though, the users can still change it. Hiding data in POST offers no more security than passing it in the URL, it just slows dedicated people down for a few seconds, if that.

So I'm going to ask, how does PHP stop a URL from
being changed ?  Are there specific functions that
block that type of activity ?

No, there are not. No web based app can stop the URL from being changed. The best way to handle this is to set up a permissions table that says "User 1234" has permission to view/edit/delete ID numbers 10, 20 and 30. If that user requests any other ID number, then show a failure. If that user tries to send data to update any other ID, then show a failure. If a user only has (and only ever will have) access to their own record, then it's even easier to store their ID in the $_SESSION and send a failure if there's a request or update for any other ID number.

"encrypting" the ID (notice the quotes), hiding it in POST, etc are mostly "security through obscurity", meaning they just slow people down a little but usually offer no additional security. If implemented correctly, they may not be a bad idea, but they should only be used in addition to an actual security setup like I described above.

There may still be issues with your login code, how you're remembering who users are, etc... but that's another email. :)

---John Holmes...

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to