leegodden Posted March 19, 2014 Share Posted March 19, 2014 HI I have a query string along the lines of: <a href ="http://localhost/mypage.php?var='total'">Click me</a> The thing is the 'total' part of this query string is not fixed, it is determined on another page by a users selection of prices. When the link is clicked and the page is loaded the string reads something like: http://localhost/mypage.php?var='12345 How can I validate that the user has not altered the URL to something like: http://localhost/mypage.php?var='11122 Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/ Share on other sites More sharing options...
cyberRobot Posted March 19, 2014 Share Posted March 19, 2014 Have you looked into SESSION variables? http://www.php.net/manual/en/intro.session.php Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473090 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 No really, am trying to avoid those Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473091 Share on other sites More sharing options...
cyberRobot Posted March 19, 2014 Share Posted March 19, 2014 Are your products stored in some sort of database? If so, you could pass the information which is used to calculate the total (such as product IDs, quantities, etc.) via GET variable(s). That information will be easier to validate than a total. Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473094 Share on other sites More sharing options...
Ch0cu3r Posted March 19, 2014 Share Posted March 19, 2014 Why? When dealing with sensitive data such as prices you should not be letting the client (web browser) handle it, the only time you would do this is when listing the price on the webpage. As anything set in then url can easily be altered by the user. Sessions are recommended as you have full control over it. The data stored in the session is stored on the server and not the client. Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473095 Share on other sites More sharing options...
Ansego Posted March 19, 2014 Share Posted March 19, 2014 How is this being trigged? hyperlink? form? if form you could change the action to post and collect it via $_POST[]; ? Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473098 Share on other sites More sharing options...
cyberRobot Posted March 19, 2014 Share Posted March 19, 2014 How is this being trigged? hyperlink? form? if form you could change the action to post and collect it via $_POST[]; ? POST variables can also be tampered with. Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473102 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 it;s triggered from a hyperlink Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473104 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 The trouble is with this is that the value is passed from a .erb file in ruby to a php script, and I dont think this is possible with sessions Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473112 Share on other sites More sharing options...
Ansego Posted March 19, 2014 Share Posted March 19, 2014 Like said in posts above, should keep sensitive data secure and server side. But since if that may not be an option maybe a temp option you can add the price to 987654321 then minus it when you get it at the business end for a temp solution. Example Mock up: $price + 987654321 = X SEND X - 987654321 = $price RECEIVE Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473119 Share on other sites More sharing options...
Ch0cu3r Posted March 19, 2014 Share Posted March 19, 2014 Like said in posts above, should keep sensitive data secure and server side. But since if that may not be an option maybe a temp option you can add the price to 987654321 then minus it when you get it at the business end for a temp solution. Example Mock up: $price + 987654321 = X SEND X - 987654321 = $price RECEIVE How would that work? You can obfuscate the price however you like. You'll still have the same problem the user is still able to modify it. The trouble is with this is that the value is passed from a .erb file in ruby to a php script, and I dont think this is possible with sessions If PHP can receive the value, then you can use sessions. But without seeing code we cant really give your specific instructions. Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473137 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 Hi I am hoping to test this now with a hidden field using Post something along the lines of: <input type="hidden" name="myFieldName" value="<% = price %>" /> and in the receiving page: $val = $_POST['myFieldName']; Does this sound workable? Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473143 Share on other sites More sharing options...
desjardins2010 Posted March 19, 2014 Share Posted March 19, 2014 yes this would work mentioned early on by Ansego but as cyberRobot said POST too can be messed with but way more secure than what your doing now.. Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473172 Share on other sites More sharing options...
leegodden Posted March 20, 2014 Author Share Posted March 20, 2014 It worked, and thanks to all who took time to comment on this question, much appreciated Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473277 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.