Michael Gale wrote:
Now at the moment on each page is a hidden variable containing a db primary key for which the data is getting updated.
I know that hidden values are not a good idea since the user can change them ... so I was going to store the hidden value in a "$_SESSION" variable but then the problem is ... what happens when the user has two - three windows open and they are updating two - three different items. Each having it's own db key ?
What's the impact if the variable is changed? There should still be some validation of the value on the server side, so changing it should be detected. If it's changed to another valid ID that the user has access to, then who cares if they change it? If they change it to an invalid value, you're validation will catch it and spit out an error. If they try to change it to an ID that they do not have access to, you're validation should catch and log that, also.
The security problem isn't in the "hidden" form elements, it's in how you're validating them.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
