Page 1 of 1

Prevent URL modification?

Posted: Mon Mar 15, 2010 5:43 am
by nitediver
First page,
have link with this code...

Code: Select all

 
<a href=\"view_product2.php?id=$result[id]\">Edit</a>
 
 
 
Second page,
receiving id, and display content by id...

Code: Select all

 
$id = $_GET['id'];
 
$view = mysql_query("SELECT * FROM product WHERE id='$id' ORDER BY id DESC");
$fetch = mysql_fetch_array($view);
 
The problem...
so the second page url looks like this...

Code: Select all

http://localhost/site/secondpage.php?id=2
if I change the "id", so the page content change,

Anyone could help/give advice to prevent anyone for changing id from url...

thanks,

Re: Prevent URL modification?

Posted: Mon Mar 15, 2010 8:28 am
by AbraCadaver
You can set a session var on the first page equal to the id and then check it on the next page. Obviously this only works for one URL. If you had multiple links on the first page with different ids, then you would have to set a session array in the first page and check that on the next.

Re: Prevent URL modification?

Posted: Mon Mar 15, 2010 12:31 pm
by Darhazer
You can use a hmac hash. In order to modify the link, the user should know how to compute the hash, and in case it is a hmac, should know the key. You can read about CSRF attacks and prevention methods, this will give you a good idea of how to prevent any URL based attacks.

Re: Prevent URL modification?

Posted: Mon Mar 15, 2010 3:49 pm
by requinix
If that page shows some kind of "product" information then why do you care if someone tries to view another product? Trying to prevent that is just going to create a bad user experience.

If they aren't "products" and only some people should be able to view a specific page then implement the most basic of authentication schemes. Encrypting identifiers, using the session, all that is just masking the real problem.

Re: Prevent URL modification?

Posted: Tue Mar 16, 2010 9:36 am
by nitediver
thanks everyone for giving advice,
anything will be useful, maybe for another time...

@tasairis
you make me realize, that page was for showing product...