Jump to content

Secure or encode master details query link

blogit

By blogit
in PHP Coding Help

 Share

Recommended Posts

blogit Newbie

blogit

Posted
Posted

Hello i've just used Macromedias tutorial to create a master details page the tutorial is at

http://www.adobe.com/support/dreamweaver/building/master_detail_php/index.html

 

I would like to secure the query url or encode it, the string is /client_details.php?recordID=110

 

As it is you can simply change the recordID and retrieve any information in the database. The link from the master page to the details is 

<?php echo $row_clientlist['client_name']; ?>

can someone suggest a way to encode or secure the link so that the recordID is not displayed. Any help's appreciated i hate having scripts that aren't secure.

 

Thanks

xtopolis Member

xtopolis

Posted
Posted

Do not try to secure the URL, try securing the output data.

 

Make it so someone has to be logged in in order to see the data by use of sessions and authentication with a database.

 

It depends how secure you need your data to be.  Very secure, sessions + database auth.  Not very secure, single password hard coded into the page.  Anything you might try to do the url can be reverse engineered, so that is why I do not recommend trying to secure it.

blogit Newbie

blogit

Posted
  • Author
Posted

The site is already protected with a login / pass system using the database, sessions, cookies the page is protected and checks if the visitor is logged in or not. But I wanted to protect it further from people inserting queries into the url that they shouldn't be. Basically there is a list of active clients displayed on the master page, while other clients if they aren't active and not dispalyed on the master page can still be accessed by changing the client ID in the url, so is there anyway to secure this further? I know that any url encoding can be decoded, so what else can be done to the url? What about a simple usergroup check if I create a usergroup for each user then also create a usergroup field with each client can there be a simple check done to make sure the user is a member that would have access to see the results of the details page?

.josh Advanced Member

.josh

Posted
Posted

Basically there is a list of active clients displayed on the master page, while other clients if they aren't active and not dispalyed on the master page can still be accessed by changing the client ID in the url, so is there anyway to secure this further?

 

After making sure the id value is the correct format (if using integers, check to make sure it's an integer, use mysql_real_escape_string on the variable, etc...), since you are expecting to only show/alter/whatever active clients, do a query check on the passed variable to see if that client is active. If not, then kick an error message or whatever.

blogit Newbie

blogit

Posted
  • Author
Posted

I added 

AND `status` = 'active'

into the query so the details page will only output active clients, can you show me an example of how to use this in an if statement so if the client i inactive i can run a function to redirect the user or output an error, the function i can make/run im just not sure how to write the if statement

.josh Advanced Member

.josh

Posted
Posted

well basically you would first run a basic query using the id like

 

"select status from table where id = '$id'"

 

then do a condition based on that. assuming you retrieve it and put the status in $status:

if ($status == 'active') {
  // it's valid, do your code here
} else {
  // it's not valid. do something here. Log it, throw out an error, w/e
}

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.