Prevent URL modification?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nitediver
Forum Contributor
Posts: 109
Joined: Tue Feb 24, 2009 9:05 am

Prevent URL modification?

Post by nitediver »

First page,
have link with this code...

Code: Select all

 
<a href=\"view_product2.php?id=$result[id]\">Edit</a>
 
 
 
Second page,
receiving id, and display content by id...

Code: Select all

 
$id = $_GET['id'];
 
$view = mysql_query("SELECT * FROM product WHERE id='$id' ORDER BY id DESC");
$fetch = mysql_fetch_array($view);
 
The problem...
so the second page url looks like this...

Code: Select all

http://localhost/site/secondpage.php?id=2
if I change the "id", so the page content change,

Anyone could help/give advice to prevent anyone for changing id from url...

thanks,
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Prevent URL modification?

Post by AbraCadaver »

You can set a session var on the first page equal to the id and then check it on the next page. Obviously this only works for one URL. If you had multiple links on the first page with different ids, then you would have to set a session array in the first page and check that on the next.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Prevent URL modification?

Post by Darhazer »

You can use a hmac hash. In order to modify the link, the user should know how to compute the hash, and in case it is a hmac, should know the key. You can read about CSRF attacks and prevention methods, this will give you a good idea of how to prevent any URL based attacks.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Prevent URL modification?

Post by requinix »

If that page shows some kind of "product" information then why do you care if someone tries to view another product? Trying to prevent that is just going to create a bad user experience.

If they aren't "products" and only some people should be able to view a specific page then implement the most basic of authentication schemes. Encrypting identifiers, using the session, all that is just masking the real problem.
nitediver
Forum Contributor
Posts: 109
Joined: Tue Feb 24, 2009 9:05 am

Re: Prevent URL modification?

Post by nitediver »

thanks everyone for giving advice,
anything will be useful, maybe for another time...

@tasairis
you make me realize, that page was for showing product...
Post Reply