Stop PHP header injections

[black.horizons]

Hi there,

i'm making a news cms for my site, just i need to have a few specific features and stuff, and i've just a huge stumbling block. i had to delete a post, and i have that sorted ok - i mean i can delete posts...but if somebody decided to type:

www.whateverdomainitis.com/news/delete-post.php?id=1&action=delete

then the post would be deleted. does anybody know how to stop this???

[kenrbnsn]

Please post a relevant piece of code.

Ken

[JasonLewis]

well. make an admin system. simple one would be have a file named config.php and store the real admin name and pass in there. then have a login, if it is all good then set a session. then on the delete-post.php page at the very top add an if statement to check if the session is set. if it isnt, redirect to login, if it is, delete post...

simple really...

am i talking about what your talking about? :)

[black.horizons]

well sessions is one thing i haven't included yet...lol i was gona wait until the end to build them in. but if anybody can direct me to a good tutorial where sessions works in conjunction with user levels pulled from a MySQL database that would be great.

[black.horizons]

anybody with a good sessions tutorial then?!

[Ninjakreborn]

www.freelancebusinessman.com
I have one there, I Wouldn't say it's really good at this point, because it's due for a massive rewrite, and a bunch of added content.  But I will be doing that later, for now, it'll give you a basic introduction, as it stood when I wrote it back then.

[utexas_pjm]

It's good practice to send sensitive data (i.e., primary keys) via POST instead of GET.  On the server side you can pull data from the $_POST array instead of the $_GET or $_REQUEST array.  This makes it a lot harder for people to mess with data coming back from the presentation layer and keeps your database structure hidden.