I’ve just started to learn php and I decided to work on a simple ticket system. I’ve managed to show a list of tickets and then when user clicks on the ticket id I can show the ticket details passing the ticket id variable to the url.
Now, to update the ticket I’ve created a new form with action=“ctrl_client_edit_ticket.php” method=“post” so in this file I can execute the database query to update the ticket.
The problem is that I have to use _POST to assign the ticket id to a new variable. So I thought maybe I could create a hidden field in the form
It is working but I don’t really know if this is the best and safer method to do this operation.
I’d say using a hidden form variable is as good a way as any, as long as you do some validation on the ticket id when it arrives at your processing script. Another way would be to create a session variable and stick it in there, but the same applies, the session variables could be altered. Obviously only you know whether that would cause an issue in your specific case, but it’s worth thinking about in the beginning rather than trying to shoe-horn in later.
Hi, many thanks for your answer. Could you please explain what kind of validatation I should use? Many thanks again for your support
I must say I’m not really experienced enough to advise specifically on what you would validate, and as I said above, your particular situation might mean that it doesn’t matter too much. But for example, if you put the ticket id in as a hidden variable, when you come to process it, it’s a bad thing to assume that the ticket id cannot have been messed with. So you’d want to check that it’s in a valid format, that it’s a valid ticket ID, and so on. You just need to think about what could happen to the database if that value has been altered.
Hi, thanks for your answer. That is a good cosideration and I haven’t thought about it. The ticket is I put into the hidden field is defined y a variable and comes from the database. Basically I’ve got a page where I show the ticket’s list which belongs to a spediva user and when the user click on view details I pass the ticket I’d to the URL using the hidden field. I need also to find a way to avoid someone else to digit a different I’d on the URL and so have access to other users tickets. But many thanks for your answer and your time. I found this website more helpful and welcoming than other websites
There’s a lot of stuff written about validation around on this forum, and some of it has links to other articles, that would be worth a look. As I mentioned earlier, it might not matter for this specific application, but it’s good to get your head around the kind of things that can be an issue and get into the habit. Passing an id as part of the URL is an easy thing for someone to change.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.