Hello,
Thanks for the replies ... I valid all the data and input from the
user. So if the user changes the value nothing bad will happen:
I have in the code:
if ($var != $hiddenvar) {
e-mail blank saying "Blank has been updated"
}
That is it ... I made a mistake in my last e-mail .. the value of hidden
is not a "DB primary key" just a important "column" in a table.
Michael.
On Sun, 04 Jul 2004 23:41:24 -0400
"John W. Holmes" <[EMAIL PROTECTED]> wrote:
> Michael Gale wrote:
>
> > Now at the moment on
> > each page is a hidden variable containing a db primary key for which
> > the data is getting updated.
> >
> > I know that hidden values are not a good idea since the user can
> > change them ... so I was going to store the hidden value in a
> > "$_SESSION" variable but then the problem is ... what happens when
> > the user has two- three windows open and they are updating two -
> > three different items. Each having it's own db key ?
>
> What's the impact if the variable is changed? There should still be
> some validation of the value on the server side, so changing it should
> be detected. If it's changed to another valid ID that the user has
> access to, then who cares if they change it? If they change it to an
> invalid value, you're validation will catch it and spit out an error.
> If they try to change it to an ID that they do not have access to,
> you're validation should catch and log that, also.
>
> The security problem isn't in the "hidden" form elements, it's in how
> you're validating them.
>
> --
> ---John Holmes...
>
> Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
>
> php|architect: The Magazine for PHP Professionals – www.phparch.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
