[FX.php List] Newbie PHP Question about direct link request to DB
Jonathan Schwartz
jschwartz at exit445.com
Mon Mar 22 09:15:40 MDT 2010
Nicely said, Michael.
For the benefit of Newbies everywhere, here is
some more background on the options:
As you have appreciated, it is a good idea to
hide the recid, which is sequential in
FileMaker's realm. Of course, in the case of a
using a form, "hidden" is only skin deep. It can
be viewed by revealing page source. An
unauthorized edit requires only the ability to
count. Not good.
Personally, I have settled on the following technique:
1) Upon initial record creation, create a
long random (unique) character string that serves
to identify that record to the outside world. I
use 20 digits, upper and lower alpha, set by a
Custom Function.
2) Use this string freely in either GET
or POST methods. Since it is very long and
random, it can not (easily) be spoofed.
3) Upon initial CWP access of the target
record in question, set the recid into a Session
variable (not viewable publicly) and use the
recid later, or
4) Perform 2 requests at edit time, one
to request the recid and second to perform the
edit.
Since I use sessions, #3 is my choice. However,
while it may seem cumbersome, #4 is not a bad
choice for the right environments.
Hope that helps.
Jonathan
At 10:30 PM +1100 3/22/10, Head Honcho wrote:
>Hi Lars (I assume),
>
>The recid that you are passing as a $_GET is
>FileMaker's internal recordID. This is set by
>FileMaker and can't be changed.
>
>So, if you're trying to obsfucate using a
>calculation, you'll need to "unwrap" the calc
>before passing the true recid.
>
>Otherwise, change your requests to $_POST's
>which will be "hidden" from the user.
>
>Hope this helps, somewhat.
>
>Regards
>
>Michael Ward
>--
>Head Honcho
>CustoMike Solutions
>Member, FileMaker Business Alliance
>Member, FileMaker Technical Network
>FileMaker 7 Certified Developer
>FileMaker 8 Certified Developer
>FileMaker 9 Certified Developer
>FileMaker 10 Certified Developer
>10 Wandoo Crt
>Wheelers Hill, 3150
>ph 0414 562 501
>headhoncho at customikesolutions.com
>
>On 22/03/2010, at 9:53 PM, Lars Arlér wrote:
>
>> Hi all and thanks in advance..
>>
>> Have a little problem with my http request to my DB
>> And my objective is to blur the link, so that everybody can't figure out the
>> next record link
>>
>>
>> "http://xx.xx.xx.xx/browserecord.php?-action=browse&-recid=189" works ok
>>
>> "http://xx.xx.xx.xx/browserecord.php?-action=browse&-recid_calc=189200011893
>> 59742000120001" return false/error
>>
>>
>> Both recid and recid_calc are totally identical in db field "type & option".
>>
>> I think that I found the problem in my script, but isn't that strong in PHP
>> to figure this one out alone......
>>
>> --------------------------- ZIP ZIP ZIP ---------------------------------
>>
>> case "browse" :
>> default :
>> {
>> $recid = $cgi->get('-recid');
>> if (!isset ($recid))
>> $recid = 1;
>>
>> $record = $fm->getRecordById($layoutName, $recid);
>> ExitOnError($record);
>> break;
>> }
>>
>> --------------------------- ZIP ZIP ZIP ---------------------------------
>>
>> 1. So what does this little script do ??
>> 2. And how can I make it accept the "recid_calc" ??
>> 3. Or accept any other valid field name ??
>>
>>
>> thanks in advance..
>>
>> ______________________________________________________
>>
>> MEDIADESIGN
>> Graphics-& Web design
>>
>> Lars Arlér
>> cell: +45 2814 0010
>>
>> La at mediadesign.dk
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list
--
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
More information about the FX.php_List
mailing list