do the following:
.../show_user.php?userid=12345&ckc=ff4356fd
the "ckc" parameter is the SHA1 hex hash of the userid, concatenated to a secret key. this way, changing the userid will require recalculating the ckc. since your average end user doesn't know what SHA1 is, much less what the secret key is, their attempt will fail.
On 4/17/06, jan gestre <[EMAIL PROTECTED]> wrote:
On 4/17/06, Paolo Alexis Falcone < [EMAIL PROTECTED]> wrote:On Monday 17 April 2006 12:21, jan gestre wrote:
> our website, it is actually a jobsite running LAMP on redhat enterprise
> edition currently has some issues, applicants who's currently logged in can
> browse and go to other applicants page by just changing any digit on the
> url. how can i correct these serious issues? by directly editing the php
> codes? enabling mod_rewrite? if by enabling mod_rewrite, how will i enable
> the module without recompiling apache on our redhat box?
> your inputs will be greatly appreciated.
Instead of using HTTP GET, try using the HTTP POST method in your PHP code
when you do form submissions.
--
tried these but with same result, the login code and other functions are all in one page... when a user login, the page calls itself with displaying the user_id of the user in the url. as i have said earlier, when a user changes the id on the url, he is able to change the profile of other user, a friend told me to use SESSION or COOKIES, but when i tried putting a code for the session, applicant users is still able to log in, but with no information displayed. any solutions for these?
TIA
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
