SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru
    Join Date
    Oct 2004
    Location
    uk
    Posts
    853
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    change url string

    What is the best way to stop users editing the url

    say

    www.xxxxxxx.com/add.php?credits=8

    can i do it so that if the change it, the php wont take any notice


    many thanks


    chris

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    A good solution would be to set a session value before sending them to add.php (which then wouldn't need the ?credits=8 ending), and add that amount of credits - then destroying that session variable.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Guru
    Join Date
    Oct 2004
    Location
    uk
    Posts
    853
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That is what I done, but just thought there might be better methods

  4. #4
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,788
    Mentioned
    151 Post(s)
    Tagged
    3 Thread(s)
    Alternative would be to NOT send something sensitive like that through the URL.
    Send it as a session instead!
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  5. #5
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When sending a link to the user generate a key, or a hash, of the data using md5 and secret "salt":
    PHP Code:
    define('SECRET_SALT''banana');

    $key md5(SECRET_SALT $credits);
    $url "add.php?credits=$credits&key=$key";
    echo 
    $url
    When you get an url back from the user, generate key again and see if it matches:

    PHP Code:
    $credits $_GET['credits'];
    $his_key $_GET['key'];
    $key md5(SECRET_SALT $credits);
    if(
    $his_key === $key)
       
    // okay
    else
       die(
    "sorry, wrong key"); 


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •