Page 1 of 1

PHP Edit Form

Posted: Tue Jun 21, 2011 6:39 am
by anp24
Hello,
I am getting the records from the database into the PHP Page through a loop. Now I want to edit the individual record. Now , how should I edit the individual record . Should I create an edit button or link for the individual record. Also I want the Edit-Id for individual record to go in Session Variable and not in a hidden field. How should I go about

Thanks
Regards

Re: PHP Edit Form

Posted: Tue Jun 21, 2011 11:30 am
by social_experiment
anp24 wrote:Should I create an edit button or link for the individual record. Also I want the Edit-Id for individual record to go in Session Variable and not in a hidden field.
Use a link where the value of the id is passed along in the query string. On the point of having the edit id as a session variable, it could be a bit tricky, at least to my thinking. If you are worried about security i.e an edit page used to edit a record that shouldn't be edited by modifying the query string, you can (and should) do an additional check to see if the record selected can in fact be edited.

Re: PHP Edit Form

Posted: Tue Jun 21, 2011 11:21 pm
by anp24
Hello,
you are saying that passing the id in the session variable is a bit tricky. But can it be possible? What should I do to accomplish this?

Re: PHP Edit Form

Posted: Wed Jun 22, 2011 10:40 am
by social_experiment
anp24 wrote:you are saying that passing the id in the session variable is a bit tricky. But can it be possible?
To my thinking yes it is tricky. Why are you against using query string values or hidden forms?

Re: PHP Edit Form

Posted: Thu Jun 23, 2011 1:39 am
by anp24
This is because Query String values and Hidden field values can be tampered with by intercepting through the intercepting proxy such as BURP PROXY.

Thanks
Regards

Re: PHP Edit Form

Posted: Thu Jun 23, 2011 6:02 am
by social_experiment
And that is why any input received (via POST or GET and even SESSION) should be checked.

Code: Select all

<?php
 $id = $_GET['id'];  # $_POST['id'] or $_SESSION['id']

 //
 if (is_numeric($id))
 {
   $result = test_id_in_database($id);
   
   if ($result)
   {
    // value is in your database and hasn't been tampered with
   }
   else
   {
    // value has been tampered with, do something else
   } 
 }   
?> 
This type of checks will be relative to the type of data you receive and to the specifics of your script.