Workaround for security to http://www.something.com?var=13

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Workaround for security to http://www.something.com?var=13

Post by mhouldridge »

Hi,

I am working on the following for a property website;

- The users control panel has an option to list all their properties which they are advertising

- The user may not have uploaded an image, therefore a "Click here to upload" image is displayed which is a link to imageupload.php (upload image script).

- If the user clicks this they will be diverted to a page like the following ;

http://www.something.com/property_image ... php?var=13 ( the "13" is the property id)

Now I am aware that there is a secuirty risk with get functions specifically doing the above using url's.

I need a workaround...... what first springs to mind is randomising and then md5'ing the property id so that the user cannot guess others - Would this be a good solution?

Please help.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What security issues are you thinking are at issue?


I see only needing this really...
  1. The user has to be logged in to upload
  2. Verify that the property ID supplied belongs to that user.
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

duh, of course!

cheers!
Post Reply