[FX.php List] How to avoid URL counterfeiting

Jonathan Schwartz jonathan at exit445.com
Thu Jun 28 06:09:26 MDT 2007

One of the methods I use...create a unique random ID for each record 
that can not be reasonably guessed:

I use this formula to generate the id: left(random*1000000,8) & "-"& 

Unlike recid, which is sequential and easily guessed, this long ID 
prevents easy counterfeiting.  While this is not foolproof, it's a 
good start.



>Hi guys -
>excellent breadth of knowledge here I have to say ! - but a lot of
>archive material to get through !
>I am forced sometimes to use header : Location:
>filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
>(or a malicious one) may of course swap out the ids - what's the best
>method of not allowing this to happen ? - I will log them out of
>course if they try this :-)
>I am thinking about setting session variables and comparing them to
>the request variables, but is the correct method ?
>To see victory only when it is within the ken of the common herd is
>not the acme of excellence.
>FX.php_List mailing list
>FX.php_List at mail.iviking.org

Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
FileMaker 8 Certified Developer

More information about the FX.php_List mailing list