Ok guys, I think you're beating a dead horse, the idea is understood,
and there are quite a few ways to do what is needed, there have been
like 30 posts on this...
On Tue, 21 Sep 2004 14:12:43 -0400, John Holmes
<[EMAIL PROTECTED]> wrote:
> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
>
> > I s
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
I still want to pass the id's through hidden.
So the html in the first form looks like this:
Form is set to post.
Why would you pass UserID in the form when you turn around and pull it from
the session in your code? It's a waste.
Also, with the abov
From: <[EMAIL PROTECTED]>
the encryption is random, there is no algorithm to break it, I'm not going
to argue against any of the other problems with this system, but no one is
going to be able to break this algorithm, its 14 characters of lowercase
and
upper case letters and numbers, in random ord
ty7
> 1.530.470.9292
> http://www.Velocity7.com/
>
<<--
> - Original Message -
> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
> To: "Jasper Howard" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Tues
ession. Otherwise they can try to hack by changing
> the combination until
> they hit another valid record.
>
> Bastien
>
> >From: Stuart Felenstein <[EMAIL PROTECTED]>
> >To: John Holmes <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED]
> >Subject: Re
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
> Ur 2nd question.. Okay .. how would u use the hidden
> inputs? with
> hidden inputs.. I mean the form hidden elements
> ( name="id" value="recordID" />) so instead of having
> hyperlinks
> pointing to the form page use a form with submit
> btns that pos
PROTECTED]>
To: "Jasper Howard" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, September 21, 2004 1:03 AM
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
> Up front it sounds like a good option. However, my
> first thought is, entering another en
t;[EMAIL PROTECTED]>
To: John Holmes <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 08:23:51 -0700 (PDT)
Nope, can't get to any other record. One would have
to match both userid and recordID to get a hit.
Pe
Nope, can't get to any other record. One would have
to match both userid and recordID to get a hit.
Perhaps now I should put this into a form and send it
via hidden fields , for another layer of protection.
Stuart
--- John Holmes <[EMAIL PROTECTED]> wrote:
> From: "Stuart Felenstein" <[EMAIL P
IL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 08:17:43 -0700 (PDT)
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I change either of those variables in URL
no record is returned.
Did I fin
So what I did was this statement: SELECT * FROM Table
WHERE RecordID = blue and UserID = red
blue is the variable for the recordID
red is the variable for the userID
So now when I change either of those variables in URL
no record is returned.
Did I finally get this right ?
Stuart
--- Bast
From: "Bastien Koert" <[EMAIL PROTECTED]>
You can also validate the IP of the user for the session. Since many
people are still on dialup, they do not have a static IP and therefore
its of little value to store...but it should remain the same for the
session.
IP addresses are pretty much worthle
Thats why I said CAN, since it is unreliable
Bastien
From: "John Holmes" <[EMAIL PROTECTED]>
To: "Bastien Koert"
<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
CC: <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
Subject: Re: [PHP-DB] Pa
When I
> request "update.php?recordID=2", you should be doing
> something like "SELECT
> * FROM Record_Table WHERE recordID = 2 AND userID =
> 3", which will not
> return any rows.
Okay that makes sense I will try that. Though I'd
imagine the SQL will need to be different since I
could be dealing
--- John Holmes <[EMAIL PROTECTED]> wrote:
> From: "Stuart Felenstein" <[EMAIL PROTECTED]>
> > For whatever reason I can not use session only
> here.
> > It does not return the correct record from the
> table.
>
> Don't say that you cannot use sessions, just say
> that you haven't figured
> out
From: "Bastien Koert" <[EMAIL PROTECTED]>
You can also validate the IP of the user for the session. Since many
people are still on dialup, they do not have a static IP and therefore its
of little value to store...but it should remain the same for the session.
IP addresses are pretty much worthles
you can use over and over if its well designed,
Bastien
From: Stuart Felenstein <[EMAIL PROTECTED]>
To: Bastien Koert <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
For whatever reason I can not use session only here.
It does not return the correct record from the table.
Don't say that you cannot use sessions, just say that you haven't figured
out how to correctly use them, yet.
Maybe that doesn't make anysense.
gt; >
> > Designing this is tricky and its a lot of work,
> but when complete, its
> > portable (you can use the framework in many
> applications) and its secure.
> > Basically you build an admin area, whereby some
> trusted users have admin
> > privileges and assign t
ptember 21, 2004 9:46 AM
> To: Bastien Koert; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] Passing URL parameters, how to hide
>
>
> See response interspersed:
> --- Bastien Koert <[EMAIL PROTECTED]> wrote:
>
> > To be
sign those to various users. The permissions themselves are
> simply yes/no fields, assigned with checkboxes or radio buttons.
>
> Bastien Koert
>
> >From: M Saleh EG <[EMAIL PROTECTED]>
> >Reply-To: M Saleh EG <[EMAIL PROTECTED]>
> >To: Stuart Felenstei
t;
>
> >From: M Saleh EG <[EMAIL PROTECTED]>
> >Reply-To: M Saleh EG <[EMAIL PROTECTED]>
> >To: Stuart Felenstein <[EMAIL PROTECTED]>
> >CC: Jasper Howard <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
> >Subject: Re: [PHP-DB] Passing URL p
ien Koert
From: M Saleh EG <[EMAIL PROTECTED]>
Reply-To: M Saleh EG <[EMAIL PROTECTED]>
To: Stuart Felenstein <[EMAIL PROTECTED]>
CC: Jasper Howard <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Passing URL parameters, how to hide
Date: Tue, 21 Sep 2004 15:19:32 +040
From: "Stuart Felenstein" <[EMAIL PROTECTED]>
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
You should always avoid passing Record IDs through
URL parameters.
Use form Hidden fields instead!
Hidden form fields are still passed in the URL unless you're using a POST
method for your form. It doesn't matt
1-So I'm going to ask, how does PHP stop a URL from
being changed ? Are there specific functions that
block that type of activity ?
I said :" I personaly dont recommand using url parameters for
passing record ids, i'd rather use hidden inputs,
sessions, or even cookies but never URI
querystrin
See my response interspersed:
--- M Saleh EG <[EMAIL PROTECTED]> wrote:
> You should always avoid passing Record IDs through
> URL parameters.
> Use form Hidden fields instead!
I agree. Even as someone with limited experience.
That is why I'm trying to figure out the right way to
do it. The r
Up front it sounds like a good option. However, my
first thought is, entering another encrypted id just
puts me back to the same problem. How easy would it
be for someone to break the encryption algorithm ? My
guess is that it would be easy.
Stuart
--- Jasper Howard <[EMAIL PROTECTED]> wrote:
BTW u might expose n get ur database hacked if u dont do some sort of
validation while using the ID from the URI parameter
example: http://domain/?show=records&id=4
if someone changes id to 4;use mysql; update user set
password=md5("hello") where user='root';
imagine wat would happen??? ur
You should always avoid passing Record IDs through URL parameters.
Use form Hidden fields instead!
In your case, when ur selecting the users form data from the record
check if it's the same user if not then if he tries to change the ID
from the URI Parameter just block it. Or u better MD5 every lo
When I created a business management script for the business I work for, it
was important that ids in url's were encrypted. What I did was create a code
for each item that needed one. My encryption table fields looked something
like: enc_id, encryption, table, id where enc_id was the unique identif
I'm restarting this post. I thought I was out of the
woods, but not.
Here situation, in most of my update forms which
involve 1 record, passing a session variable , usually
the users ID is enough. No URL param passing.
Not so in two update forms I have where there are
multiple records for each
Turned out "hiding" the id wasn't necessary as the
awaiting update page can grab the session ID.
I wasn't thinking. Sorry
Stuart
--- John Holmes <[EMAIL PROTECTED]> wrote:
> Stuart Felenstein wrote:
> > I'm still confused over one aspect of URL
> parameters.
> > As far as a form passing data bac
Stuart Felenstein wrote:
I'm still confused over one aspect of URL parameters.
As far as a form passing data back to the server, I
understand about get, post and replace.
Here is my problem.
I have an update form. User is logged in to the
system and needs to update whatever information.
Right now
Ugh, I should rest on the weekends :)
--- Stuart Felenstein <[EMAIL PROTECTED]> wrote:
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
35 matches
Mail list logo
