[FX.php List] How to avoid URL counterfeiting

Jonathan Schwartz jonathan at exit445.com
Thu Jun 28 06:22:34 MDT 2007


That's a good suggestion.  It doubles your protection and helps avoid 
non-unique unique numbers. ;-)

>I would suggest to use both recid and the random number Jonathan
>suggests, that would really make a nice combination.
>
>ggt667
>
>On 6/28/07, Jonathan Schwartz <jonathan at exit445.com> wrote:
>>One of the methods I use...create a unique random ID for each record
>>that can not be reasonably guessed:
>>         XXXXXXXX-XXXXXXXX.
>>
>>I use this formula to generate the id: left(random*1000000,8) & "-"&
>>left(random*1000000,8)
>>
>>Unlike recid, which is sequential and easily guessed, this long ID
>>prevents easy counterfeiting.  While this is not foolproof, it's a
>>good start.
>>
>>HTH,
>>
>>Jonathan
>>
>>>Hi guys -
>>>
>>>excellent breadth of knowledge here I have to say ! - but a lot of
>>>archive material to get through !
>>>
>>>I am forced sometimes to use header : Location:
>>>filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
>>>(or a malicious one) may of course swap out the ids - what's the best
>>>method of not allowing this to happen ? - I will log them out of
>>>course if they try this :-)
>>>
>>>I am thinking about setting session variables and comparing them to
>>>the request variables, but is the correct method ?
>>>
>>>William
>>>--
>>>To see victory only when it is within the ken of the common herd is
>>>not the acme of excellence.
>>>_______________________________________________
>>>FX.php_List mailing list
>>>FX.php_List at mail.iviking.org
>>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>>--
>>Jonathan Schwartz
>>Exit 445 Group
>>jonathan at exit445.com
>>http://www.exit445.com
>>415-381-1852
>>FileMaker 8 Certified Developer
>>_______________________________________________
>>FX.php_List mailing list
>>FX.php_List at mail.iviking.org
>>http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-381-1852
FileMaker 8 Certified Developer


More information about the FX.php_List mailing list