[FX.php List] Disallowing access thru modifying url?

Hal Gumbert hal at macfl.com
Wed Apr 26 09:03:22 MDT 2006

On Apr 24, 2006, at 1:28 PM, Joel Shapiro wrote:

> What ways are there to limit record access to *only* clicked-on links?
> When I get a list of records, clicking on any one of them links to  
> their respective url, e.g.:

You might be able to deal with this in the same way some credit card  
companies generate temporary credit card numbers for online purchases.

While generating the page for the user, add records to a  
RecordsRequest table which act as an alias to the real record like so:

- When they click on the the link, it would find the RecordsRequest  
where it could find the real record id and then go on to find the  
record of interest.
- If you made the recreq big enough it would be hard to guess one  
that existed. Generating it could be as easy as choosing a random  
single digit number/letter and appending twenty of them or so. Just  
make sure the generated number doesn't already exist.
- You could also add a RecordsRequest expiration timestamp. After a  
certain amount of time old RecordsRequest could be deleted.

Does this make sense? It would add a layer of complexity, but not too  

Hal Gumbert  <hal at macfl.com> or <hal at mac.com>
MacFL        <http://www.macfl.com>

- FileMaker 7 Certified Developer & FileMaker 8 Certified Developer
- Apple Certified ACTC 10.1,  ACHDS 10.3, ACHDS 10.4

More information about the FX.php_List mailing list