Hiding $_GET Variables

[xProteuSx]

I am building a member-based website, and I've got a bunch of buttons that lead from page to page. The links for these buttons are generated based on user ID and subsequent pages receive this variable as well.

 

So, if you hover over the buttons, you get a link like this:

 

http://www.mysite.com?id=423

 

How can I hide the last part?  The '?id=423'?  I must use this format of variable, and cannot resort to session variables.  Is there a way to hide this portion of the links??

[heraldic2]

This might be completely off, but have you tried $_POST instead of $_GET?

 

$_POST is more secure and does not display data like $_GET does.

 

Seriously though let a smart person verify this.

[xProteuSx]

I have no idea how to set the method to POST from GET ...

 

I think if you use this format:

 

http://www.mysite.com?id=432

 

then the method is GET by default (and might always be GET).

 

Looks like we both need a smart person to verify, because I don't qualify for this level of verification. 

[haku]

You have a <form> tag somewhere. In this <form> tag, you should have a method attribute, so that your form tag will have <form method="get">. If you don't have this method attribute, you need to set it, and set it to post: <form method="post">. You will also have an action attribute in the tag, but I left this out of my explanation as it's not relevant. The relevant part is that you need method="post" in your form tag.

[xProteuSx]

I do not have a form.

 

I am passing variables using the URL.

[MasterACE14]

I do not have a form.

 

I am passing variables using the URL.

then no, you can't 'hide' it, if the data is that sensitive it shouldn't be passed through the URL in the first place. But I really don't think that's the issue is it? I have hunch you're not cleaning, filtering or validating the data and hence are having issues with cheeky users. In which case, work out how to do that as opposed to working around what you have, which clearly works.

[xProteuSx]

MasterACE14,

 

You're right, in a sense.  I am not cleaning, filtering, or validating (CFV) data ... YET.  Right now I am working on the basic functions.  The CFV of data will be worked on at a later stage.  I was just hoping to be able to hide the variables that are being sent via URL; that would make it a little more difficult for malicious users to mess with the site.

[TwoSaints]

Might be a little awkward but you could hash the variable?  It won't hide it but would make it near impossible to guess other ids.

[haku]

Depending on how you are making the page request, it's possible to send data through $_POST, but not if you are using a link, or typing directly into the address bar.

[floridaflatlander]

Are you doing this for security reasons?

 

Could you as an example have a page called member.php and use sessions and add as needed

 

if ($_SESSION['mem_id']) {SELECT display info}

[floridaflatlander]

.... and cannot resort to session variables ...

 

Sorry, I just got up, I didn't read your last sentence

[KevinM1]

POST ideally shouldn't be used for simply retrieving information anyway.  While POST and GET behave similarly (aside from GET data always being visible in the address bar), they have different meanings, and should be used accordingly.  Besides, one of the benefits of GET is that the results can be bookmarked.

 

That said, you can make your links look more pretty by using .htaccess.  So, instead of something like example.com?user=1138 you could have example.com/users/1138.

[cyberRobot]

I was just hoping to be able to hide the variables that are being sent via URL; that would make it a little more difficult for malicious users to mess with the site.

 

Note that using $_POST isn't that much more secure. For example, someone could just download your form code; tamper with it; point it to where the form is normally submitted; click the submit button. It may not be as quick as messing with the $_GET variables, but it's not that complicated.