[SOLVED] hide data in url

[overlordofevil]

hey all,

 

I am working on a user interface for a db and it works but the issue I am having is security.

 

The problem I am having is for the user to do anything they have to click on links. The links calls the new function but for the function to work correctly i have to send the id in the url. this is a big issue so i need to fix it. 

 

what I am wondering is what would be the best way to either a encrypt the id in the url so it can still be used on the next page or what would be another way to pass the info to the next page?

 

thanks

bill

 

[flyhoney]

You could use POST instead of GET (this would require adding javascript to links or using buttons as opposed to links).

 

Using POST requests via AJAX would be pretty 2.0ey.

[Maq]

Why don't you use a session?  That way it's hidden and available on whatever page you want.

[overlordofevil]

don't know ajax but that6 might work.

 

i do use sessions but I am not sure how well the session data would work. here is part of the code.

$query1 = "SELECT * FROM characters where id='$uid' ORDER BY wchar";
$result1 = mysql_query($query1) or die (" Line 2 Query failed due to: ".mysql_error());
while ($row1= mysql_fetch_array($result1))
{
extract($row1);

echo "<tr><td></td>
<td><b>Character's' Name</b></td>
<td><b>Class</b></td>
<td><b>Race</b></td>
<td><b>Subrace</b></td>
<td><b>Which Character</b></td></tr>";

echo "<tr><td></td>
<td><a href='home.php?action=purchaseskills&cid=$cid'>$cname</a></td>
<td>$classname</td>
<td>$racename</td>
<td>$subrace</td>
<td>$wchar</td></tr>";

echo "<tr><td><b>Options</b></td>
<td><a href='home.php?action=spiritforge&cid=$cid'>Spirit Forge</a></td>
<td><a href='home.php?action=racechange&cid=$cid'>Race Change</a></td>
<td><a href='charsheet.php?cid=$cid' target='_blank'>Character Sheet</a></td>
<td><a href='home.php?action=xplog&cid=$cid'>XP Log</a></td>
<td><a href='home.php?action=deletechar&cid=$cid'>DELETE</a></td></tr>\n";

 

ok so as you see what happens is it take a list of users and brings up the character info for them. now I can probably change the link to go to a quick script that sets the id as a session variable but other then that I'm not sure how else to do it. Plus since the session variable would need to change often that's the thing I need to figure out how to get it set when the character is selected how to set its id as the session variable.

 

I don't know Javascript but if that or ajax is the best way to do it with out sending the data through the url I may have to look into it.

 

Thanks for the feedback I appreciate it, any other suggestions ?

[Gighalen]

www.w3schools.com

 

Go to PHP and click on "Sessions".

[overlordofevil]

thanks for the suggestions.

 

I figure  out a way to do it by setting up the links as forms with the id as hidden data. that way instead of links I get buttons now and it makes it a bit more secure.

 

Thanks again 

[Maq]

thanks for the suggestions.

 

I figure  out a way to do it by setting up the links as forms with the id as hidden data. that way instead of links I get buttons now and it makes it a bit more secure.

 

Thanks again 

 

You should never sensitive data through HTTP...  You can use hidden fields or sessions to accomplish this.

[flyhoney]

thanks for the suggestions.

 

I figure  out a way to do it by setting up the links as forms with the id as hidden data. that way instead of links I get buttons now and it makes it a bit more secure.

 

Thanks again 

 

You should never sensitive data through HTTP...  You can use hidden fields or sessions to accomplish this.

 

I think you left out a word there.  Do you mean "You should never send sensitive data through HTTP"?  Because you realize that sessions and forms still use HTTP...