Address Bar Url Issue

[PHP_Student_12550]

I have a question that I can't seem to find the answer for. If a PHP developer is designing a routine to allow subscribers to delete their postings, something like this appears in the address bar of the browser:

 

http://www.someWebSite.com/deletePost.php?rec_ID=380

 

For example, i wrote a routine where a user has to enter their email address and password. If both are entered correctly, they are displayed all their postings. For example, if that user owns record 380, the above happens.

 

Now the routine works perfect but the problem that I noticed is that someone could type that back into their address bar, change the number to, for example, 346, and in essence, delete someone else's posting. How can this issue be solved?

[requinix]

Make sure that deletePost.php doesn't delete the post unless the user is allowed to. Then they can change the ID number all they want and it won't let them do something they shouldn't.

[Muddy_Funster]

anther thing you could look into would be to use $_SESSION variables, rather than URL variables, to pass the information about between pages in a way that is not imediately visible to the end user. But as requinix said, you must validate the user before allowing them to make changes to anything, regardless of which way you do it.

[PHP_Student_12550]

Just a little more information about my issue. In my code, I do have the routine where a user has to enter their email address and their password. Of course they must match what is on file. Once that information is entered, a listing of all of their postings are displayed. For example, they have 3 postings to choose from. They then select the posting that they want to delete. Once that is selected, the record ID of that record is sent to the file to be deleted. I understand about all the checks that must be passed before they can delete a record but I can't figure out how to avoid having the record number showing up in the URL:

 

www.someWebSite.com/deleteRec?recID=380

 

I'm going to try the $_SESSION variables

[requinix]

You don't have to care about that! Putting it in the session just makes it that much harder for me, as a power user, to use your site. Bookmark a page? Nope, can't do that. Multiple tabs? Nope, can't do that.

 

Just leave it alone. It's perfectly fine to have the ID in there. You do see that every other major website has them in there too, right? It's not a problem.

[Christian F.]

While it is indeed perfectly fine to leave the ID in the request body itself, and what you should do. I don't quite agree with using the GET method for deletions.

Not only does this violate the HTTP spec, but it also means that web-spiders (and certain browsers) might give you a very nasty surprise. Precisely because of this violation, as they assume that all GET requests are safe and free of side-effects. What you should be using is a POST (preferably DELETE, according to the spec) request for this. Which is stated to have side-effects, and thus will not be automatically followed by any application.

 

Also, having a confirmation message might be a good idea, so that user's don't mistakenly delete something by simply clicking on the wrong button.