[FX.php List] How to avoid URL counterfeiting

Joel Shapiro jsfmp at earthlink.net
Thu Jun 28 09:26:25 MDT 2007

Hi William

Are the salesId and/or conID going to be unique per session, after  
login perhaps?  If so, then you should be able to set them as session  
variables (as you suggest) and leave them out of the URL altogether.   
Your called page (filename.php) could then just use the session  
variables in place of $_GET['salesId'] and/or $_GET['conID'].

Or are these values going to vary throughout a user's session?

Since you like looking at the archives... there was a thread I had  
started on April 24, 2006 entitled "Disallowing access thru modifying  
url?" that had some great responses.  (That was way early in my PHP  
life... I didn't even know what the term GET meant -- yoiks! :)


On Jun 28, 2007, at 4:54 AM, William Downs wrote:

> Hi guys -
> excellent breadth of knowledge here I have to say ! - but a lot of
> archive material to get through !
> I am forced sometimes to use header : Location:
> filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
> (or a malicious one) may of course swap out the ids - what's the best
> method of not allowing this to happen ? - I will log them out of
> course if they try this :-)
> I am thinking about setting session variables and comparing them to
> the request variables, but is the correct method ?
> William
> -- 
> To see victory only when it is within the ken of the common herd is
> not the acme of excellence.
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list