It would be better to use randomly generated strings for your client ids
e.g. md5(uniqid(rand()));
This would be must harder for another use to guess.
Even better would be to store your users details in a session variable so
that the id will never appear in the url at all.
e.g. a very basic example.
session_name("YOURSESSIONID")
session_start();
authenticate etc.. and read user details into $user array/object;
session_register($user);
then as long as your using the same browser session and you have
session_name("YOURSESSIONID");
session_start();
at the beginning of each page you can access $user.
If you open a new window you can do something like
abc.php?session_id=session_id()
abc.php
session_id($session_id);
session_name("YOURSESSIONID");
session_start()
and carry on using $user.
-Stewart
-----Original Message-----
From: Jack Sasportas [mailto:[EMAIL PROTECTED]]
Sent: 21 March 2001 10:02
To: php
Subject: [PHP] Post -vs- Get
I have written a system with authentication to gain access to individual
data.
Since I am using the post method the command line has something like
abc.com?client_no=5
Now even though if that person emails you that url, you won't gain
access to it bascause of authentication that is needed, what can happen
is an authorized user could change the 5 in the url to 8, and then see
the information that is there which belongs to client 8.
Because of this I am thinking in this case I should be using the post
method instead of the get method.
Does anyone have a link to a doc that has a good example in both methods
along with a good explanation so that I can make sure I understand what
it's doing?
Thanks for your help!
Jack
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
