Protecting my $_GET URLs?
Posted: Wed Jan 27, 2016 10:19 am
Hi all...
Here is a link to the work in progress: http://toucan-talk.com/classes
Username: jethro
Password: password
I have password protected a file called 'createclassroom.php'. In that file I am using a short PHP script that generates a unique URL (using the md5() hash function) for an online virtual classroom every time the button is clicked.
The URLs look like this when they are created by the script:
Below is the 'createclassroom.php' snippet that
1 - generates the md5() hash
2 - stores it in the variable '$instance'
3 -concatinates it onto the header redirect all when the form submit button is pressed.
In the next file called 'classroom.php' I define the variable $instance as:
And then echo $instance inside the classroom HTML/JS where the instance is generated on their servers to display the unique classroom...
The problem is that because I am using $_GET['instance'] which gets the "instance=xxx" from the URL that means that anyone can create a classroom (and use my resources) as long as they jiggle with the url bar, typing something like....
So the question is how do I protect the urls from abuse?
I need to get my variable $instance (which stores that hash code) which I have created in the createclass.php and somehow transfer that variable to the user without passing it through the URL.
Any ideas?
Many thanks in advance for your thoughts on the matter.
Jethro
Here is a link to the work in progress: http://toucan-talk.com/classes
Username: jethro
Password: password
I have password protected a file called 'createclassroom.php'. In that file I am using a short PHP script that generates a unique URL (using the md5() hash function) for an online virtual classroom every time the button is clicked.
The URLs look like this when they are created by the script:
Code: Select all
http://toucan-talk.com/classes/classroom.php?instance=8b1a9953c4611296a827abf8c47804d71 - generates the md5() hash
2 - stores it in the variable '$instance'
3 -concatinates it onto the header redirect all when the form submit button is pressed.
Code: Select all
<?php
session_start();
if (isset($_SESSION['id'])) {
if (isset($_POST['hidden'])) {
$uid = $_SESSION['id'];
$usname = $_SESSION['username'];
// To generate the random string from a word
$str = "Hello"; // word to hash
$instance = md5($str); // hash stored in variable
header('Location:classroom.php?instance='.$instance);
}
} else {
echo 'Please login';
die();
}
?>Code: Select all
$instance = $_GET['instance'];Code: Select all
// The object to load and instance name. To create a different "session",
// just copy the html page and change the instance name.
var object = 'new_conference:classroom<?php echo $instance ?>';Code: Select all
classroom.php?instance=ANY_STRING_HERE123I need to get my variable $instance (which stores that hash code) which I have created in the createclass.php and somehow transfer that variable to the user without passing it through the URL.
Any ideas?
Many thanks in advance for your thoughts on the matter.
Jethro