Page 1 of 1

Workaround for security to http://www.something.com?var=13

Posted: Fri Mar 10, 2006 3:22 pm
by mhouldridge
Hi,

I am working on the following for a property website;

- The users control panel has an option to list all their properties which they are advertising

- The user may not have uploaded an image, therefore a "Click here to upload" image is displayed which is a link to imageupload.php (upload image script).

- If the user clicks this they will be diverted to a page like the following ;

http://www.something.com/property_image ... php?var=13 ( the "13" is the property id)

Now I am aware that there is a secuirty risk with get functions specifically doing the above using url's.

I need a workaround...... what first springs to mind is randomising and then md5'ing the property id so that the user cannot guess others - Would this be a good solution?

Please help.

Posted: Fri Mar 10, 2006 3:33 pm
by feyd
What security issues are you thinking are at issue?


I see only needing this really...
  1. The user has to be logged in to upload
  2. Verify that the property ID supplied belongs to that user.

Posted: Fri Mar 10, 2006 3:46 pm
by mhouldridge
duh, of course!

cheers!