[FX.php List] Disallowing access thru modifying url?
Kevin Futter
kfutter at sbc.melb.catholic.edu.au
Tue Apr 25 16:39:50 MDT 2006
On 25/4/06 3:28 AM, "Joel Shapiro" <jsfmp at earthlink.net> wrote:
> Hi all
>
> What ways are there to limit record access to *only* clicked-on links?
>
> When I get a list of records, clicking on any one of them links to
> their respective url, e.g.:
> http://127.0.0.1/page.php?recid=1234
>
> I do not want someone to be able to edit the url in their browser to
> view recid=6789
> (I do open in a new browser window without the Address Bar, but
> certainly someone could get around that)
>
> I had been using a simple IF clause at the top of page.php to ensure
> that the record's Parent_ID field match a previously set Session
> variable, but now I need to allow the viewing of other records
> (related further down the pipe) and such an IF clause is no longer so
> simple.
>
> The recent thread betwen Dan and Kevin on using forms with hidden
> inputs and javascript seems like one option:
> <FORM NAME="sub" METHOD="POST" ACTION="file1.php">
> <input type="hidden" id="data" name="data" value="mydata">
> </FORM>
> <a href="file2.php"
> ONCLICK="document.sub.submit(); return false;"
> target="_blank">LINK TEXT HERE</a>
>
>
> What other options are there?
>
> TIA,
> -Joel
There's really no way to completely protect links based on a GET request -
they're inherently vulnerable. Adding JavaScript as protection is easily
defeated by simply turning it off. Another option might be to wrap each
returned record in a form and populate a hidden field with the record ID,
but you'll end up with multiple submit buttons on the page, or else back to
JS to provide an onclick handler for text-based links.
--
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.melb.catholic.edu.au/
More information about the FX.php_List
mailing list