blogit Posted June 16, 2008 Share Posted June 16, 2008 Hello i've just used Macromedias tutorial to create a master details page the tutorial is at http://www.adobe.com/support/dreamweaver/building/master_detail_php/index.html I would like to secure the query url or encode it, the string is /client_details.php?recordID=110 As it is you can simply change the recordID and retrieve any information in the database. The link from the master page to the details is <?php echo $row_clientlist['client_name']; ?> can someone suggest a way to encode or secure the link so that the recordID is not displayed. Any help's appreciated i hate having scripts that aren't secure. Thanks Quote Link to comment Share on other sites More sharing options...
xtopolis Posted June 16, 2008 Share Posted June 16, 2008 Do not try to secure the URL, try securing the output data. Make it so someone has to be logged in in order to see the data by use of sessions and authentication with a database. It depends how secure you need your data to be. Very secure, sessions + database auth. Not very secure, single password hard coded into the page. Anything you might try to do the url can be reverse engineered, so that is why I do not recommend trying to secure it. Quote Link to comment Share on other sites More sharing options...
blogit Posted June 16, 2008 Author Share Posted June 16, 2008 The site is already protected with a login / pass system using the database, sessions, cookies the page is protected and checks if the visitor is logged in or not. But I wanted to protect it further from people inserting queries into the url that they shouldn't be. Basically there is a list of active clients displayed on the master page, while other clients if they aren't active and not dispalyed on the master page can still be accessed by changing the client ID in the url, so is there anyway to secure this further? I know that any url encoding can be decoded, so what else can be done to the url? What about a simple usergroup check if I create a usergroup for each user then also create a usergroup field with each client can there be a simple check done to make sure the user is a member that would have access to see the results of the details page? Quote Link to comment Share on other sites More sharing options...
.josh Posted June 16, 2008 Share Posted June 16, 2008 Basically there is a list of active clients displayed on the master page, while other clients if they aren't active and not dispalyed on the master page can still be accessed by changing the client ID in the url, so is there anyway to secure this further? After making sure the id value is the correct format (if using integers, check to make sure it's an integer, use mysql_real_escape_string on the variable, etc...), since you are expecting to only show/alter/whatever active clients, do a query check on the passed variable to see if that client is active. If not, then kick an error message or whatever. Quote Link to comment Share on other sites More sharing options...
blogit Posted June 16, 2008 Author Share Posted June 16, 2008 I added AND `status` = 'active' into the query so the details page will only output active clients, can you show me an example of how to use this in an if statement so if the client i inactive i can run a function to redirect the user or output an error, the function i can make/run im just not sure how to write the if statement Quote Link to comment Share on other sites More sharing options...
.josh Posted June 16, 2008 Share Posted June 16, 2008 well basically you would first run a basic query using the id like "select status from table where id = '$id'" then do a condition based on that. assuming you retrieve it and put the status in $status: if ($status == 'active') { // it's valid, do your code here } else { // it's not valid. do something here. Log it, throw out an error, w/e } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.