Page 1 of 1
PHP Edit Form
Posted: Tue Jun 21, 2011 6:39 am
by anp24
Hello,
I am getting the records from the database into the PHP Page through a loop. Now I want to edit the individual record. Now , how should I edit the individual record . Should I create an edit button or link for the individual record. Also I want the Edit-Id for individual record to go in Session Variable and not in a hidden field. How should I go about
Thanks
Regards
Re: PHP Edit Form
Posted: Tue Jun 21, 2011 11:30 am
by social_experiment
anp24 wrote:Should I create an edit button or link for the individual record. Also I want the Edit-Id for individual record to go in Session Variable and not in a hidden field.
Use a link where the value of the id is passed along in the query string. On the point of having the edit id as a session variable, it could be a bit tricky, at least to my thinking. If you are worried about security i.e an edit page used to edit a record that shouldn't be edited by modifying the query string, you can (and should) do an additional check to see if the record selected can in fact be edited.
Re: PHP Edit Form
Posted: Tue Jun 21, 2011 11:21 pm
by anp24
Hello,
you are saying that passing the id in the session variable is a bit tricky. But can it be possible? What should I do to accomplish this?
Re: PHP Edit Form
Posted: Wed Jun 22, 2011 10:40 am
by social_experiment
anp24 wrote:you are saying that passing the id in the session variable is a bit tricky. But can it be possible?
To my thinking yes it is tricky. Why are you against using query string values or hidden forms?
Re: PHP Edit Form
Posted: Thu Jun 23, 2011 1:39 am
by anp24
This is because Query String values and Hidden field values can be tampered with by intercepting through the intercepting proxy such as BURP PROXY.
Thanks
Regards
Re: PHP Edit Form
Posted: Thu Jun 23, 2011 6:02 am
by social_experiment
And that is why any input received (via POST or GET and even SESSION) should be checked.
Code: Select all
<?php
$id = $_GET['id']; # $_POST['id'] or $_SESSION['id']
//
if (is_numeric($id))
{
$result = test_id_in_database($id);
if ($result)
{
// value is in your database and hasn't been tampered with
}
else
{
// value has been tampered with, do something else
}
}
?>
This type of checks will be relative to the type of data you receive and to the specifics of your script.