leegodden Posted March 19, 2014 Share Posted March 19, 2014 HI I have a query string along the lines of: <a href ="http://localhost/mypage.php?var='total'">Click me</a> The thing is the 'total' part of this query string is not fixed, it is determined on another page by a users selection of prices. When the link is clicked and the page is loaded the string reads something like: http://localhost/mypage.php?var='12345 How can I validate that the user has not altered the URL to something like: http://localhost/mypage.php?var='11122 Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/ Share on other sites More sharing options...
cyberRobot Posted March 19, 2014 Share Posted March 19, 2014 Have you looked into SESSION variables? http://www.php.net/manual/en/intro.session.php Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473090 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 No really, am trying to avoid those Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473091 Share on other sites More sharing options...
cyberRobot Posted March 19, 2014 Share Posted March 19, 2014 Are your products stored in some sort of database? If so, you could pass the information which is used to calculate the total (such as product IDs, quantities, etc.) via GET variable(s). That information will be easier to validate than a total. Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473094 Share on other sites More sharing options...
Ch0cu3r Posted March 19, 2014 Share Posted March 19, 2014 Why? When dealing with sensitive data such as prices you should not be letting the client (web browser) handle it, the only time you would do this is when listing the price on the webpage. As anything set in then url can easily be altered by the user. Sessions are recommended as you have full control over it. The data stored in the session is stored on the server and not the client. Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473095 Share on other sites More sharing options...
Ansego Posted March 19, 2014 Share Posted March 19, 2014 How is this being trigged? hyperlink? form? if form you could change the action to post and collect it via $_POST[]; ? Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473098 Share on other sites More sharing options...
cyberRobot Posted March 19, 2014 Share Posted March 19, 2014 How is this being trigged? hyperlink? form? if form you could change the action to post and collect it via $_POST[]; ? POST variables can also be tampered with. Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473102 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 it;s triggered from a hyperlink Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473104 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 The trouble is with this is that the value is passed from a .erb file in ruby to a php script, and I dont think this is possible with sessions Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473112 Share on other sites More sharing options...
Ansego Posted March 19, 2014 Share Posted March 19, 2014 Like said in posts above, should keep sensitive data secure and server side. But since if that may not be an option maybe a temp option you can add the price to 987654321 then minus it when you get it at the business end for a temp solution. Example Mock up: $price + 987654321 = X SEND X - 987654321 = $price RECEIVE Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473119 Share on other sites More sharing options...
Ch0cu3r Posted March 19, 2014 Share Posted March 19, 2014 Like said in posts above, should keep sensitive data secure and server side. But since if that may not be an option maybe a temp option you can add the price to 987654321 then minus it when you get it at the business end for a temp solution. Example Mock up: $price + 987654321 = X SEND X - 987654321 = $price RECEIVE How would that work? You can obfuscate the price however you like. You'll still have the same problem the user is still able to modify it. The trouble is with this is that the value is passed from a .erb file in ruby to a php script, and I dont think this is possible with sessions If PHP can receive the value, then you can use sessions. But without seeing code we cant really give your specific instructions. Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473137 Share on other sites More sharing options...
leegodden Posted March 19, 2014 Author Share Posted March 19, 2014 Hi I am hoping to test this now with a hidden field using Post something along the lines of: <input type="hidden" name="myFieldName" value="<% = price %>" /> and in the receiving page: $val = $_POST['myFieldName']; Does this sound workable? Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473143 Share on other sites More sharing options...
desjardins2010 Posted March 19, 2014 Share Posted March 19, 2014 yes this would work mentioned early on by Ansego but as cyberRobot said POST too can be messed with but way more secure than what your doing now.. Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473172 Share on other sites More sharing options...
leegodden Posted March 20, 2014 Author Share Posted March 20, 2014 It worked, and thanks to all who took time to comment on this question, much appreciated Quote Link to comment https://forums.phpfreaks.com/topic/287082-validating-a-query-string-to-detect-change-from-user/#findComment-1473277 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.