Hiding ids at the top of the url

[Jalz]

Hi Guys,

 

Wanted a bit of advice. I have a table of data and each row has a link to take it to a edit page of that record. The code underneath is what I have for my edit link.

 

<a href="addresses_edit.php?recid="<?php echo $personal_details_row->getRecordId(); ?>" class="standardbutton">Edit Address</a>

 

The problem is, the url of my addresses_edit.php page will have a recid=55 for instance which is fine, as that would be the record I would want to view and alter. My question is how can I hide that recid parameter value, as if someone manually changes 55 to 58, they get the contents of record 58. I've been doing a little bit of reading on this subject and mod rewrite seems to be the obvious choice. However I am using IIS to host my website, so this option is not valid. So far the alternative to me is to save the recid parameter in a session, would you gurus agree? I have come up with the following code which doesn't seem to work (i.e. when I print_r($_SESSION) I dont see it being set), if someone can point me in the right direction please.....

 

<a href="addresses_edit.php
			<?php if(!session_id()) session_start();
					if(isset($_SESSION['recid'])){unset($_SESSION['recid']);}else
					{$_SESSION['recid']=$personal_details__Address_portal->getField('Address::recid');} ?>" class="standardbutton">Edit Addresses</a>

 

Many Thanks as always for your help.

[smerny]

on your "addresses_edit.php" page, have a conditional statement to check if the person should be able to view that page (with the particular recid)... if so, let them see the content... if not, tell them they don't have access to that page

 

edit: the reason i am saying to do this is that even if you use modrewrite or even POST method (so it doesn't show up at the URL), people will still be able to pass recid a value... rather than trying to hide it, you need to secure it on the addresses_edit.php by validating that this person has access to a particular recid they are asking for