cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
0
Upvote

Pass vars in links with security... ?

Guest
Oct 07, 2009 Oct 07, 2009

Copy link to clipboard

Copied

Dear friends :

I have a file "chooserecord.php" where user can choose a record (whch belongs to his/her user account)  and click on "delete register" button.

Then, it takes you to the file  "deleterecord.php" where the record status will be changed in the database.. but, here is the question :

When the user chooses the record to delete(change status)  it passes that record id like this :

<a href="deleterecord.php?code=3">Click here to delete record 3</a>

And it works.... but... it is not safe !! because, any user could enter directly typing in the URL things like "deleterecord.php?code=4" or "...?code=5" or whatever, and delete the record without having permission... !!  so .. what is the best practice for this ?

I'll appreciate your answers,

TOPICS
Server side applications

Views

626
Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
bregent
LEGEND ,
Oct 07, 2009 Oct 07, 2009

Copy link to clipboard

Copied

You're right, it's not safe. Generally, you never want to use the GET method for activities that alter the data in any way. Always use POST for that. In addition, you might want to perform additional validation to ensure that the data to be deleted is associated with the logged in user.

Votes

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Lon_Winters
Advocate ,
Oct 07, 2009 Oct 07, 2009

Copy link to clipboard

Copied

In Response To bregent

Even the FORM method can be emulated pretty easily.  But if you have the Restrict Access to page applies to each page, then it makes the hack more difficult.  The highest level of securty would be to encrypt that part of the site with SSL.

Votes

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
bregent
LEGEND ,
Oct 07, 2009 Oct 07, 2009

Copy link to clipboard

Copied

In Response To Lon_Winters

Lon Winters wrote:

Even the FORM method can be emulated pretty easily.  But if you have the Restrict Access to page applies to each page, then it makes the hack more difficult.  The highest level of securty would be to encrypt that part of the site with SSL.

I kind of assumed that the OP is already restricting access to the script based on their original message. Even with restricted access, it would still be possible for a logged in user to delete someone elses records using an id passed in the query string. That's why I suggested the additional methods.

Votes

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Oct 08, 2009 Oct 08, 2009

Copy link to clipboard

Copied

LATEST
In Response To bregent

Give your users their own username and password.

Track them using Sessions

and in the deletion page, check both user AND the record, whether they belong to each other.

Votes

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices