ansaurus

Question

how to handle url modifications php/mysql

Answer 1

+1 A:

one possibility is setting and using the $_SESSION variable to determine if a user is allowed to visit a certain page. Another possibility is to use post instead of get for your login form. let me know if i can elaborate.

edit:

<form method="get" action="login.php" name="form"></form>

vs

<form method="post" action="login.php" name="form"></form>

after login, you can set

 <?php $_SESSION['user_id'] ?>

and at the top of the page you are using, you can have a statement like

 <?php if($_SESSION['user_id'] != $_POST['pageid']{//not valid} ?>

Orbit 2010-10-23 23:46:19

hi thanks brandon for the quick reply. can you please gudie me the post option from the log in form? this is what an user can do . 1) go to the site. 2)click on my account and log in. 3) show him the list of events he/she had created. 4) each event will have an option for a)editing. 2) deleting c)mail it!. so whatever they click, i have the event id and/or the date in the url. so user a is logged in and if he just changes the id in the url, he can edit user b's events..and do the same with the mail/delete options. please help me.

gan 2010-10-23 23:49:33

Using POST instead of GET won't help much. Any self-respecting hacker can fire off a POST request.

kijin 2010-10-23 23:51:20

so what is the option? will url rewrite helps?

gan 2010-10-23 23:52:51

yes, was about to say this isn't really the way to go. you are going to also need to implement some sort of session tokens for authentication. i'll add something above

Orbit 2010-10-23 23:52:55

thanks again brandon..but in my case, i show these "edit/delete/mail" options inside the user account..so when they click on it and they can edit the id in the url..so no form action here? ma i missing somehting. ex - after an user logged in, he/she will see 1) title - date - description --- edit |delete | mail..and the list goes like this.

gan 2010-10-23 23:55:47

it's still a form action, just change the method="get" to method="post"

Orbit 2010-10-23 23:56:46

the parameters will not be passed via url

Orbit 2010-10-23 23:57:16

The id should not passed by url as a first option. You can try to use ajax if you need to use GET method instead of POST. Maybe you can try md5 function in order to change the id and it could be more difficult to remember the id for other users... but the risk will be always present!!

Nervo Verdezoto 2010-10-24 01:23:18

thank you all. i couldn't avoid the id passed via url, i tried to verify the user id and then show the page or redirect. thanks for all the quick help and ideas that I can keep in mind.

gan 2010-10-24 04:22:47

Answer 2

+1 A:

I think its fine passing the pageid in the url. So the next thing is, making sure the user can only edit their page. What I would do is save the users id in the table with the events.

Then on the edit page when you get the events information you can check the user id (from the table) with the user id from the person logged in.

Something like this

// I don't know how your query works, but it would go here.

// Then before you output the edit form, Add something like this
if( $_SESSION['user_id'] == $event_result['user_id'] ) {
    // They match, show the form
}else {
    // they don't match
    echo 'Excuse me, what are you doing?';
}

Baylor Rae' 2010-10-23 23:54:55

thank you. i tried what you said and it looks like it's working fine. thanks again.

gan 2010-10-24 02:59:05

ansaurus

tags:

views:

answers:

how to handle url modifications php/mysql

related questions