PHP Edit Form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
anp24
Forum Newbie
Posts: 13
Joined: Wed Jul 11, 2007 6:34 am

PHP Edit Form

Post by anp24 »

Hello,
I am getting the records from the database into the PHP Page through a loop. Now I want to edit the individual record. Now , how should I edit the individual record . Should I create an edit button or link for the individual record. Also I want the Edit-Id for individual record to go in Session Variable and not in a hidden field. How should I go about

Thanks
Regards
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: PHP Edit Form

Post by social_experiment »

anp24 wrote:Should I create an edit button or link for the individual record. Also I want the Edit-Id for individual record to go in Session Variable and not in a hidden field.
Use a link where the value of the id is passed along in the query string. On the point of having the edit id as a session variable, it could be a bit tricky, at least to my thinking. If you are worried about security i.e an edit page used to edit a record that shouldn't be edited by modifying the query string, you can (and should) do an additional check to see if the record selected can in fact be edited.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
anp24
Forum Newbie
Posts: 13
Joined: Wed Jul 11, 2007 6:34 am

Re: PHP Edit Form

Post by anp24 »

Hello,
you are saying that passing the id in the session variable is a bit tricky. But can it be possible? What should I do to accomplish this?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: PHP Edit Form

Post by social_experiment »

anp24 wrote:you are saying that passing the id in the session variable is a bit tricky. But can it be possible?
To my thinking yes it is tricky. Why are you against using query string values or hidden forms?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
anp24
Forum Newbie
Posts: 13
Joined: Wed Jul 11, 2007 6:34 am

Re: PHP Edit Form

Post by anp24 »

This is because Query String values and Hidden field values can be tampered with by intercepting through the intercepting proxy such as BURP PROXY.

Thanks
Regards
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: PHP Edit Form

Post by social_experiment »

And that is why any input received (via POST or GET and even SESSION) should be checked.

Code: Select all

<?php
 $id = $_GET['id'];  # $_POST['id'] or $_SESSION['id']

 //
 if (is_numeric($id))
 {
   $result = test_id_in_database($id);
   
   if ($result)
   {
    // value is in your database and hasn't been tampered with
   }
   else
   {
    // value has been tampered with, do something else
   } 
 }   
?> 
This type of checks will be relative to the type of data you receive and to the specifics of your script.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply