skip to Main Content

so I have a question.

I have this project to school, I have a website with a form and database. Basically after successful form validation input is inserted into database and after that they are redirected using echo ‘script’ to a summary page which will print inputted values.

So on the summary page is a SQL search which is using WHERE clause plus ID stored in URL by GET method from the script. My question is how can I prevent someone changing the ID in the URL and read input from other users.

I was thinking maybe session could work, but I cant think about a reasonable solution. Thank you for help.

2

Answers


  1. Non-sequential ids would be a band-aid over the problem. But at heart, if you want the page to not be public, you need to require them to have a session that restricts what they can see. Crudely, you can simply return with the redirect a cookie containing the id they are allowed to see and a cryptographic signature that you can verify when they do the get. Somewhat better is to have the cookie contain a session id, and store session information (the id they are allowed to see) in your database.

    Login or Signup to reply.
  2. You could do something like that :

    function encryptIt($q) {
        $cryptKey = 'YourKey_String';
        $qEncoded = openssl_encrypt($q, "AES-128-ECB", $cryptKey);
        return( $qEncoded );
    }
    
    function decryptIt($q) {
        $cryptKey = 'YourKey_String';
        $qDecoded = openssl_decrypt($q, "AES-128-ECB", $cryptKey);
        return( $qDecoded );
    }
    
    function testEncryptDecrypt() {
    //Get your ID from DB here and format $arData as you want
    
        $arData = array(
            'id_cust' => 220,
            'id_user' => 45220,
            'extra' => 'toto il est beau mon lavabo',
        );
        $jsonString = json_encode($arData);
        $token = encryptIt($jsonString);
        // use the token in you get request
        $kryptDone = decryptIt($token);
        $dataReturn = json_decode($kryptDone, true);
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search