Jump to content

Validating a query string to detect change from user

leegodden

By leegodden
in PHP Coding Help

Recommended Posts

leegodden Newbie

leegodden

Posted
Posted

HI

 

I have a query string along the lines of:

<a href ="http://localhost/mypage.php?var='total'">Click me</a>

The thing is the 'total' part of this query string is not fixed, it is determined on another page by a users selection of prices.

When the link is clicked and the page is loaded the string reads something like:

http://localhost/mypage.php?var='12345

How can I validate that the user has not altered the URL to something like:

http://localhost/mypage.php?var='11122
cyberRobot Prolific Member

cyberRobot

Posted
Posted

Are your products stored in some sort of database? If so, you could pass the information which is used to calculate the total (such as product IDs, quantities, etc.) via GET variable(s). That information will be easier to validate than a total.

Ch0cu3r Newbie

Ch0cu3r

Posted
Posted

Why? When dealing with sensitive data such as prices you should not be letting the client (web browser) handle it, the only time you would do this is when listing the price on the webpage. As anything set in then url can easily be altered by the user.

 

Sessions are recommended as you have full control over it. The data stored in the session is stored on the server and not the client.

Ansego Member

Ansego

Posted
Posted

Like said in posts above, should keep sensitive data secure and server side.

 

But since if that may not be an option maybe a temp option you can add the price to 987654321 then minus it when you get it at the business end for a temp solution.

 

Example Mock up:

$price + 987654321 = X SEND

X - 987654321 = $price RECEIVE 

Ch0cu3r Newbie

Ch0cu3r

Posted
Posted

Like said in posts above, should keep sensitive data secure and server side.

 

But since if that may not be an option maybe a temp option you can add the price to 987654321 then minus it when you get it at the business end for a temp solution.

 

Example Mock up:

$price + 987654321 = X SEND

X - 987654321 = $price RECEIVE 

How would that work? You can obfuscate the price however you like. You'll still have the same problem the user is still able to modify it.

 

The trouble is with this is that the value is passed from a .erb file in ruby to a php script, and I dont think this is possible with sessions

If PHP can receive the value, then you can use sessions. But without seeing code we cant really give your specific instructions.

leegodden Newbie

leegodden

Posted
  • Author
Posted

Hi I am hoping to test this now with a  hidden field using Post something along the lines of:

  <input type="hidden" name="myFieldName" value="<% = price %>" />

and in the receiving page:

$val = $_POST['myFieldName'];

Does this sound workable?

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.