Avoid 'GET' method - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Avoid 'GET' method

Tony Marston contained the following:

Quoted text here. Click to load it

What's the worst they could do with the primary key?  

Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: Avoid 'GET' method

Quoted text here. Click to load it

Submit a request using the primary key of a record which they are not  
authorised to access. This would be a HUGE security flaw.

Tony Marston


Re: Avoid 'GET' method

Quoted text here. Click to load it

How about setting all those variable in an array:

$theArray = array();
$theArray['item1'] = "item1 value";
$_SESSION['theArray'] = $theArray;

Then in the receiving page:
$theArray = $_SESSION['theArray'] ;
and then use
$theArray['item1'], etc.

If they weren't set then the value is NULL.

BTW, this works for me.


Re: Avoid 'GET' method

el_roachmeister@yahoo.com wrote:
: Is there a way to make a text link post to a form without passing all
: the parameters in the url? The urls tend to get very long and messy. I
: often wonder if there is a limit to how long they can get?

One possible technique

Use sessions.

Create a session for a user.

When you generate the table with all the links, save the details of each  
link as part of the session, and index the details via an id, and use that  
id in the link instead of the details.

    <a href="mysite.com/myscript.php?the-id=A57">click here</a>


This space not for rent.

Re: Avoid 'GET' method

Following on from Malcolm Dew-Jones's message. . .
Quoted text here. Click to load it
And if your record ids are 1,2,3 ... 45,46,47 etc then you need to  
protect that id from being known or accessible or usable from the  
'hidden' information.  [Even if you use large random numbers for record  
IDs this only protects against peeking at another customer's record etc  
(and then not perfectly) and it means that for example  
"?CN=123456789&ACTION=DENY" is an invitation to use the same CN with  
other actions.]

So, one method is to create a record in the session (array) of
parameters and dynamically generated random number.  The link now looks  
lime "?LNK=152482763" with 152482763 referencing something in the  
session.  The next time the exact same link is generated (same customer,  
same action say) there will be a completely different random number.

This works for page-to-page links and also URLs embedded into emails.  
(In the latter case store the info in a table. - I have a class that  
encapsulates this nicely with extra functions for things like expiry and  
deleting all options when one is chosen - I suppose I ought to start  
publishing some of my useful classes.)

PETER FOX Not the same since the e-commerce business came to a .
2 Tees Close, Witham, Essex.
Gravity beer in Essex  <http://www.eminent.demon.co.uk

Site Timeline