HI
I have a query string along the lines of:
<a href =“http://localhost/mypage.php?var=‘total’”>Click me</a>
The thing is the ‘total’ part of this query string is not fixed, it is determined on another page by a users selection of prices.
When the link is clicked and the page is loaded the string reads something like:
http://localhost/mypage.php?var='12345
How can I validate that the user has not altered the URL to something like:
Can you set that total number to session on page one, then compare GET total to the session total on page 2?
Better yet, use the session value and not rely on GET at all.
Thanks for your help. I decided to go the $_POST way with a hidden field in the link page instead
Sending the information by POST isn’t any more secure, as the user could still alter the value that’s submitted. It would be better to pass the information needed to recalculate the price on the destination page.
“hidden” from displaying perhaps, but not hidden on view-source. I agree with the others. If this is for anything of importance use SESSION
Hi,
I agree, use a session, or if you absolutely have to use a query string parameter, then you will want to add a second parameter to act as the signature which will be an encrypted value which you will also check in your mypage.php file. You would rebuild your signature using the “var” parameter and whatever other values you used to build it on the first page, then compare it against the one passed to mypage.php.