Up front it sounds like a good option. However, my
first thought is, entering another encrypted id just
puts me back to the same problem. How easy would it
be for someone to break the encryption algorithm ? My
guess is that it would be easy.
Stuart
--- Jasper Howard [EMAIL PROTECTED] wrote:
See my response interspersed:
--- M Saleh EG [EMAIL PROTECTED] wrote:
You should always avoid passing Record IDs through
URL parameters.
Use form Hidden fields instead!
I agree. Even as someone with limited experience.
That is why I'm trying to figure out the right way to
do it. The
]
Reply-To: M Saleh EG [EMAIL PROTECTED]
To: Stuart Felenstein [EMAIL PROTECTED]
CC: Jasper Howard [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 15:19:32 +0400
1-So I'm going to ask, how does PHP stop a URL from
being changed
: Re: [PHP-DB] Passing URL parameters, how
to hide
Date: Tue, 21 Sep 2004 15:19:32 +0400
1-So I'm going to ask, how does PHP stop a URL from
being changed ? Are there specific functions that
block that type of activity ?
I said : I personaly dont recommand using url
parameters
PROTECTED]
To: Stuart Felenstein [EMAIL PROTECTED]
CC: Jasper Howard [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 15:19:32 +0400
1-So I'm going to ask, how does PHP stop a URL from
being changed ? Are there specific
; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
See response interspersed:
--- Bastien Koert [EMAIL PROTECTED] wrote:
To be entirely honest, there is no real reason not
to use the url to pass data, IF the data
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how
to hide
Date: Tue, 21 Sep 2004 15:19:32 +0400
1-So I'm going to ask, how does PHP stop a URL
from
being changed ? Are there specific functions
that
block that type of activity ?
I said : I
From: Stuart Felenstein [EMAIL PROTECTED]
For whatever reason I can not use session only here.
It does not return the correct record from the table.
Don't say that you cannot use sessions, just say that you haven't figured
out how to correctly use them, yet.
Maybe that doesn't make anysense. In
if its well designed,
Bastien
From: Stuart Felenstein [EMAIL PROTECTED]
To: Bastien Koert [EMAIL PROTECTED], [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 06:45:48 -0700 (PDT)
See response interspersed
From: Bastien Koert [EMAIL PROTECTED]
You can also validate the IP of the user for the session. Since many
people are still on dialup, they do not have a static IP and therefore its
of little value to store...but it should remain the same for the session.
IP addresses are pretty much worthless
--- John Holmes [EMAIL PROTECTED] wrote:
From: Stuart Felenstein [EMAIL PROTECTED]
For whatever reason I can not use session only
here.
It does not return the correct record from the
table.
Don't say that you cannot use sessions, just say
that you haven't figured
out how to
When I
request update.php?recordID=2, you should be doing
something like SELECT
* FROM Record_Table WHERE recordID = 2 AND userID =
3, which will not
return any rows.
Okay that makes sense I will try that. Though I'd
imagine the SQL will need to be different since I
could be dealing with
Thats why I said CAN, since it is unreliable
Bastien
From: John Holmes [EMAIL PROTECTED]
To: Bastien Koert
[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
CC: [EMAIL PROTECTED],[EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 10:22:32 -0400
From: Bastien Koert [EMAIL PROTECTED]
You can also validate the IP of the user for the session. Since many
people are still on dialup, they do not have a static IP and therefore
its of little value to store...but it should remain the same for the
session.
IP addresses are pretty much worthless
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I change either of those variables in URL
no record is returned.
Did I finally get this right ?
Stuart
---
From: Stuart Felenstein [EMAIL PROTECTED]
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I change either of those variables in URL
no record is returned.
Did I
], [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 08:17:43 -0700 (PDT)
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I
Nope, can't get to any other record. One would have
to match both userid and recordID to get a hit.
Perhaps now I should put this into a form and send it
via hidden fields , for another layer of protection.
Stuart
--- John Holmes [EMAIL PROTECTED] wrote:
From: Stuart Felenstein [EMAIL
PROTECTED]
To: John Holmes [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)
Nope, can't get to any other record. One would have
to match both userid and recordID to get a hit.
Perhaps now I should put
PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, September 21, 2004 1:03 AM
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Up front it sounds like a good option. However, my
first thought is, entering another encrypted id just
puts me back to the same problem. How easy would
--- M Saleh EG [EMAIL PROTECTED] wrote:
Ur 2nd question.. Okay .. how would u use the hidden
inputs? with
hidden inputs.. I mean the form hidden elements
(input type=hidden
name=id value=recordID /) so instead of having
hyperlinks
pointing to the form page use a form with submit
btns
the combination until
they hit another valid record.
Bastien
From: Stuart Felenstein [EMAIL PROTECTED]
To: John Holmes [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how
to hide
Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)
Nope, can't get to any
/
--
- Original Message -
From: Stuart Felenstein [EMAIL PROTECTED]
To: Jasper Howard [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Tuesday, September 21, 2004 1:03 AM
Subject: Re: [PHP-DB] Passing URL parameters, how to
hide
Up front it sounds like a good option. However,
my
From: [EMAIL PROTECTED]
the encryption is random, there is no algorithm to break it, I'm not going
to argue against any of the other problems with this system, but no one is
going to be able to break this algorithm, its 14 characters of lowercase
and
upper case letters and numbers, in random
From: Stuart Felenstein [EMAIL PROTECTED]
I still want to pass the id's through hidden.
So the html in the first form looks like this:
input name=hiddenField type=hidden
value=recordID
input name=hiddenField type=hidden value=user
id/td
Form is set to post.
Why would you pass UserID in the form
Ok guys, I think you're beating a dead horse, the idea is understood,
and there are quite a few ways to do what is needed, there have been
like 30 posts on this...
On Tue, 21 Sep 2004 14:12:43 -0400, John Holmes
[EMAIL PROTECTED] wrote:
From: Stuart Felenstein [EMAIL PROTECTED]
I still want
I'm restarting this post. I thought I was out of the
woods, but not.
Here situation, in most of my update forms which
involve 1 record, passing a session variable , usually
the users ID is enough. No URL param passing.
Not so in two update forms I have where there are
multiple records for each
When I created a business management script for the business I work for, it
was important that ids in url's were encrypted. What I did was create a code
for each item that needed one. My encryption table fields looked something
like: enc_id, encryption, table, id where enc_id was the unique
You should always avoid passing Record IDs through URL parameters.
Use form Hidden fields instead!
In your case, when ur selecting the users form data from the record
check if it's the same user if not then if he tries to change the ID
from the URI Parameter just block it. Or u better MD5 every
BTW u might expose n get ur database hacked if u dont do some sort of
validation while using the ID from the URI parameter
example: http://domain/?show=recordsid=4
if someone changes id to 4;use mysql; update user set
password=md5(hello) where user='root';
imagine wat would happen??? ur
Ugh, I should rest on the weekends :)
--- Stuart Felenstein [EMAIL PROTECTED] wrote:
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Turned out hiding the id wasn't necessary as the
awaiting update page can grab the session ID.
I wasn't thinking. Sorry
Stuart
--- John Holmes [EMAIL PROTECTED] wrote:
Stuart Felenstein wrote:
I'm still confused over one aspect of URL
parameters.
As far as a form passing data back to the
32 matches
Mail list logo
