[FX.php List] How to avoid URL counterfeiting
Gjermund Gusland Thorsen
ggt667 at gmail.com
Thu Jun 28 06:17:30 MDT 2007
I would suggest to use both recid and the random number Jonathan
suggests, that would really make a nice combination.
ggt667
On 6/28/07, Jonathan Schwartz <jonathan at exit445.com> wrote:
> One of the methods I use...create a unique random ID for each record
> that can not be reasonably guessed:
> XXXXXXXX-XXXXXXXX.
>
> I use this formula to generate the id: left(random*1000000,8) & "-"&
> left(random*1000000,8)
>
> Unlike recid, which is sequential and easily guessed, this long ID
> prevents easy counterfeiting. While this is not foolproof, it's a
> good start.
>
> HTH,
>
> Jonathan
>
> >Hi guys -
> >
> >excellent breadth of knowledge here I have to say ! - but a lot of
> >archive material to get through !
> >
> >I am forced sometimes to use header : Location:
> >filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
> >(or a malicious one) may of course swap out the ids - what's the best
> >method of not allowing this to happen ? - I will log them out of
> >course if they try this :-)
> >
> >I am thinking about setting session variables and comparing them to
> >the request variables, but is the correct method ?
> >
> >William
> >--
> >To see victory only when it is within the ken of the common herd is
> >not the acme of excellence.
> >_______________________________________________
> >FX.php_List mailing list
> >FX.php_List at mail.iviking.org
> >http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-381-1852
> FileMaker 8 Certified Developer
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
More information about the FX.php_List
mailing list