SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Guru
    Join Date
    Feb 2002
    Posts
    625
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    What's a good way to pass variables (as in id's etc..)

    Hello!

    I was wondering if it is possible to pass variables without them being shown on the url bar.
    I want to do this

    http://whatever/intern/firma_verwalten.php?fid=765

    But what bugs me is that users can just type in any number next to the fid and the query will be exectuted.
    Currently this is not really an issue since it is for local intranet use only, but some day it will require authentication along with limiting certain areas for certain users. (The fid is just an ID for a company's name btw)

    One guess i dare to take which will eventually solve the problem is using sessions and checking if the user is allowed in this area etc.., but i did not have the time to dive into them yet, so i would like to know if there are any other ways of doing this.

    And whilst were on the topic, a general question.

    The fid is an integer, which will be used in the sql query like this
    ....WHERE firma.F_ID=$_GET[fid] AND ......
    Now, does it make sense to prevent users from typing in anything else then a number into the fid (if they were going to that is) ?

    I mean, if someone wants to be a bugger and look at an ugly MySQL error then it is his problem and not mine.

    An example, this is what the url looks like
    http://whatever/intern/firma_verwalten.php?fid=765

    And now someone enters
    http://whatever/intern/firma_verwalten.php?fid=drop database

    All that will happen is an ugly MySQL error, so does it really make sense to write that extra line of code to make sure only an integer can be passed? (im not stating that or this is right, i would merely like to hear your oppinions on this one specific example).
    I do know that in general one has to check user input but in this case? I don't know to be honest.

    Well, thank you for time in advance!

    Best regards from Vienna,
    datune

  2. #2
    Happy Holidays !! Paul S's Avatar
    Join Date
    Mar 2001
    Location
    Mexico
    Posts
    1,287
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: What's a good way to pass variables (as in id's etc..)

    Originally posted by datune
    I mean, if someone wants to be a bugger and look at an ugly MySQL error then it is his problem and not mine.

    An example, this is what the url looks like
    http://whatever/intern/firma_verwalten.php?fid=765

    And now someone enters
    http://whatever/intern/firma_verwalten.php?fid=drop database

    All that will happen is an ugly MySQL error, so does it really make sense to write that extra line of code to make sure only an integer can be passed? (im not stating that or this is right, i would merely like to hear your oppinions on this one specific example).
    I do know that in general one has to check user input but in this case? I don't know to be honest.

    Well, thank you for time in advance!

    Best regards from Vienna,
    datune [/B]
    Well, fortunately PHP has several functions that could help you to check the nature of the POST, GET and COOKIE variables.
    For example, if you want to avoid that error in mysql, you can try
    PHP Code:
     if (is_numeric($_GET['fid'])) {
         
    //fid is a valid number so you can use it
     
    } else {
         
    //display some warning message saying that the user has used an invalid option
     

    Finally if you want to hide your variables, I'd suggest use the POST mode (we it's possible) or sessions.

    Paul

  3. #3
    SitePoint Guru
    Join Date
    Feb 2002
    Posts
    625
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First of all, thank you for your reply.
    How can i use the POST method to pass an id when clicking on a link?
    For example, you decide to search for a company thats starts with an A, now you get all company's displayed as links along with the ID so it can be processed further (for a complete listing of the company details for example).

    For example, if you want to avoid that error in mysql, you can try

    PHP:
    --------------------------------------------------------------------------------


    if (is_numeric($_GET['fid'])) {
    //fid is a valid number so you can use it
    } else {
    //display some warning message saying that the user has used an invalid option
    }



    --------------------------------------------------------------------------------
    Thank you, but i know that, what i wanted to know is if it makes any sense to do this in the given example?

  4. #4
    Happy Holidays !! Paul S's Avatar
    Join Date
    Mar 2001
    Location
    Mexico
    Posts
    1,287
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by datune
    First of all, thank you for your reply.
    How can i use the POST method to pass an id when clicking on a link?
    You have two options fsockopen() or curl()
    To be honest I haven't play enough with them, you might want to read the php manual to get futher information (I've seen a couple of links)

    http://www.php.net/manual/en/function.fsockopen.php


    Thank you, but i know that, what I wanted to know is if it makes any sense to do this in the given example?
    Yes it makes sense.

    Paul

  5. #5
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My opinion is that you should do as much validation on user supplied data as possible.

    Also, it seems to me that what you are want (from your description of passing variables from one page to the next) are sessions. An area I am not that crash hot on personally, but for which there is plenty of info, tutorials and the like floating about.

  6. #6
    SitePoint Enthusiast z00om's Avatar
    Join Date
    Dec 2001
    Location
    California
    Posts
    86
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Geeze people, what is SO DIFFICULT about sessions?! I never got the whole confusion...

    PHP Code:
    session_start();
    $_SESSION['variable_name'] = "value";
    // etc... 
    And you have started a session and set a variable.

    to call it, ...hmm...
    $_SESSION['variable_name']

    I never saw the difficulty in that....

    Also,
    you might try using those JavaScript auto-submit scripts.... just call a JS function to submit dynamic data using a LINK.
    [z00om : home]
    [z00om@hotmail.com]
    [z00om : aim]
    [77968493 : icq]

  7. #7
    SitePoint Member
    Join Date
    May 2002
    Posts
    20
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    z00om forgot to mention that you must call session_start() at the top of each page where you want to use the session variable.

    Also, when creating a session variable variable_name from z00oms example should be the variable name without the $.

    Maybe the reason everyone has trouble with sessions is that nobody ever bothers to explain them properly!

  8. #8
    SitePoint Zealot ant1832's Avatar
    Join Date
    Apr 2002
    Location
    Tucson, AZ
    Posts
    176
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah i juts tried working w/ sessions yesterday and I'm amazed how simple they are to use. Key thing is to be sure to use session_start() on each page you want to use the variables on.

  9. #9
    SitePoint Guru DenverDave's Avatar
    Join Date
    Feb 2001
    Location
    Denver, Colorado
    Posts
    630
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have had the same question. Without getting into the session issue, I have setup a series of multiple mini forums to take the place of regular text links and pass the variables as hidden form variables.

    I have some issues with my form approach ( buttons are larger than I would like and cumbersome to setup ). I would be interested in others approaches.

  10. #10
    SitePoint Member
    Join Date
    Jun 2002
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello datune,

    just an idea:

    If securtiy is that important and you whant to avoid persons fooling about the request id, just try to crypt the id in a simple way. After obtaining the crypted request-id, decrypt it and you get your plain id. If you still worried, introduce a checksum for the crypted, so you will see, when an id has been changed by the user.

    http://server/script.php?id=1
    http://server/script.php?id=2

    becomes (for example)

    http://server/script.php?id=a723hj
    http://server/script.php?id=c45jh1

    or

    http://server/script.php?id=a723hj&chk=23hhj
    http://server/script.php?id=c45jh1&chk=sdh23

    PHP Code:
    function crypt ($id) {

    //replace value by character
    //add some additional values depending on character

    return $crypted_id;

    }


    function 
    decrypt ($cryptid){

    //get rid of unnecessary additional values
    // convert character to value

    return $id;




Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •