No, No, NO!

The user id should not be in the hidden elements in the form.

You need to store that in a session variable for the duration of that user's session. Otherwise they can try to hack by changing the combination until they hit another valid record.

Bastien

From: Stuart Felenstein <[EMAIL PROTECTED]>
To: John Holmes <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)

Nope, can't get to any other record.  One would have
to match both userid and recordID to get a hit.
Perhaps now I should put this into a form and send it
via hidden fields , for another layer of protection.

Stuart


--- John Holmes <[EMAIL PROTECTED]> wrote:

> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
>
> > So what I did was this statement: SELECT * FROM
> Table
> > WHERE RecordID = blue and UserID = red
> > blue is the variable for the recordID
> > red is the variable for the userID
> >
> > So now when I change either of those variables in
> URL
> > no record is returned.
> >
> > Did I finally get this right ?
>
> You tell us; can you get to any other record? Sounds
> like you're heading in
> the right direction, though...
>
> ---John Holmes...
>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*.


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to