What is the best way to stop users editing the url
say
www.xxxxxxx.com/add.php?credits=8
can i do it so that if the change it, the php wont take any notice
many thanks
chris
| SitePoint Sponsor |
What is the best way to stop users editing the url
say
www.xxxxxxx.com/add.php?credits=8
can i do it so that if the change it, the php wont take any notice
many thanks
chris
A good solution would be to set a session value before sending them to add.php (which then wouldn't need the ?credits=8 ending), and add that amount of credits - then destroying that session variable.
Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
That is what I done, but just thought there might be better methods
Alternative would be to NOT send something sensitive like that through the URL.
Send it as a session instead!
Mike Swiffin - Community Team Leader
Only a woman can read between the lines of a one word answer.....
I started out with nothing... and still got most of it left!
When sending a link to the user generate a key, or a hash, of the data using md5 and secret "salt":
When you get an url back from the user, generate key again and see if it matches:PHP Code:define('SECRET_SALT', 'banana');
$key = md5(SECRET_SALT . $credits);
$url = "add.php?credits=$credits&key=$key";
echo $url;
PHP Code:$credits = $_GET['credits'];
$his_key = $_GET['key'];
$key = md5(SECRET_SALT . $credits);
if($his_key === $key)
// okay
else
die("sorry, wrong key");
Posting Permissions
Bookmarks