[FX.php List] How to avoid URL counterfeiting
Joel Shapiro
jsfmp at earthlink.net
Thu Jun 28 09:26:25 MDT 2007
Hi William
Are the salesId and/or conID going to be unique per session, after
login perhaps? If so, then you should be able to set them as session
variables (as you suggest) and leave them out of the URL altogether.
Your called page (filename.php) could then just use the session
variables in place of $_GET['salesId'] and/or $_GET['conID'].
Or are these values going to vary throughout a user's session?
Since you like looking at the archives... there was a thread I had
started on April 24, 2006 entitled "Disallowing access thru modifying
url?" that had some great responses. (That was way early in my PHP
life... I didn't even know what the term GET meant -- yoiks! :)
-Joel
On Jun 28, 2007, at 4:54 AM, William Downs wrote:
> Hi guys -
>
> excellent breadth of knowledge here I have to say ! - but a lot of
> archive material to get through !
>
> I am forced sometimes to use header : Location:
> filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
> (or a malicious one) may of course swap out the ids - what's the best
> method of not allowing this to happen ? - I will log them out of
> course if they try this :-)
>
> I am thinking about setting session variables and comparing them to
> the request variables, but is the correct method ?
>
> William
> --
> To see victory only when it is within the ken of the common herd is
> not the acme of excellence.
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
More information about the FX.php_List
mailing list