[SOLVED] Security in Passing Variable through URL

[ballouta]

Hello

 

Is there safer way to pass a variable from page to page.

for example, i have this page: www.sitename.com/send_file.php?user=ballouta

if someone knows this username or other usernames he would use this link.

Please give me an idea how I can fix this security issue.

Thanks alot

[timmah1]

Instead of using the username, couldn't you just use a sessionID?

[discomatt]

Or just use sessions.

[.josh]

right. there is no reason to send info like that through url.  you'd have user's info in a session var.  your link would be to send_file.php and instead of checking for $_GET['user'] check for $_SESSION['user']

[ballouta]

Is it going to be easy if I replace this way of passing variables with using sessions? Actually never used sessions but i read about it, I know it is smthg very important.

Do you advice a nice simple tutorial with examples if possible?

 

thank u all

[.josh]

The central idea behind a login system is to use session variables, so you can read up on them by reading any basic login tutorial.  However, here's a quick example:

 

page1.php

<?php
   session_start();

   $_SESSION['username'] = 'ballouta';
   
   echo "<a href = 'page2.php'>page 2</a>";
?>

 

page2.php

<?php
   session_start(); 

   if($_SESSION['username']) {
      echo $_SESSION['username'];
   }
?>

[br0ken]

Unfortunate as it may seem to you right now, if you wish to have any kind of login facility, you must use sessions. There are other ways to accomplish this but sessions are by far the easiest. While at first they may seem complex, in an hour or two you can have a basic understanding of sessions which is enough to implement a basic login system that can be built on to create a extremely secure and simple user login system.

 

For more information simply type 'PHP Sessions' on Google and you'll have enough information to get started.

[Lodius2000]

going on crayon violet's post

 

if upon submission of your login (i assume that is what you are doing) put this line in

 

$_SESSION['username'] = $_POST['user']; where the variable in the post array is the name of the field that you type your userid into, I think you are using 'user'

 

**** make sure session_start(); is at the TOP TOP TOP and I mean TOP of every page you want this variable to persist in****

 

after that use crayon violets if() statement for page2.php to verify that you have a logged in user

[br0ken]

Whilst the above code would work, I highly recommend reading and learning about sessions rather than just plugging in code given from other people. It is important to understand how sessions work and how they can be subverted.

[Lodius2000]

indeed broken

[br0ken]

Apologies if that sounded harsh my friend! Just thought I should point that out.