> abc.com?client_no=5
>
> Now even though if that person emails you that url, you won't gain
> access to it bascause of authentication that is needed, what can happen
> is an authorized user could change the 5 in the url to 8, and then see
> the information that is there which belongs to client 8.
>
> Because of this I am thinking in this case I should be using the post
> method instead of the get method.
Even then a user could save the source code of your form, alter the POST
information, and send it back with the same effect.
You should probably look at having some kind of individualised
authentication scheme rather than a blanket one, using sessions/cookies
perhaps.
POST alone is not the solution.
Mick
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
