No, No, NO!

The user id should not be in the hidden elements in the form.

You need to store that in a session variable for the duration of that user's session. Otherwise they can try to hack by changing the combination until they hit another valid record.


From: Stuart Felenstein <[EMAIL PROTECTED]>
To: John Holmes <[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)

Nope, can't get to any other record.  One would have
to match both userid and recordID to get a hit.
Perhaps now I should put this into a form and send it
via hidden fields , for another layer of protection.


--- John Holmes <[EMAIL PROTECTED]> wrote:

> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
> > So what I did was this statement: SELECT * FROM
> Table
> > WHERE RecordID = blue and UserID = red
> > blue is the variable for the recordID
> > red is the variable for the userID
> >
> > So now when I change either of those variables in
> > no record is returned.
> >
> > Did I finally get this right ?
> You tell us; can you get to any other record? Sounds
> like you're heading in
> the right direction, though...
> ---John Holmes...

PHP Database Mailing List (
To unsubscribe, visit:

Powerful Parental Controls Let your child discover the best the Internet has to offer. Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*.

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to