Jump to content
Larry Ullman's Book Forums

Recommended Posts

One method for passing attractive variables between scripts is to append them to an URL like so:

<a href="edit.php?x=1">edit</a>

The issue being that "x=1", while provocatively visible in the URL, is easily coerced to become "x=99",

or some other arbitrary value of dark intent and high suspicion.


Is it merely that I have yet to find the session-based solution for this in the book?


Obvious session assignments, i.e., registering a user name as a session variable, are straightforward.


But the example listed above seems to present a different sort of challenge.


 ~ David

Link to post
Share on other sites

There is a chapter in the book which details how to use cookies and sessions, though maybe not with that specific example. Once you know how to use them, you would be able to adapt them easily for your requirements.


Another option would be to use a hidden field to pass the variable.


Link to post
Share on other sites


...or some other arbitrary value of dark intent and high suspicion.

Haha! That's good!


I think the key to your solution is not in changing the URL, but properly sanitizing the URL.

For example, let's say that the x value corresponds to the user ID. In that case, if you store the user's ID in a session, then you can easily compare the two with an if statement, and only if that user should be viewing the page, allow them to do so. Otherwise, redirect them.


The following if statement could suffice:


if ($_SESSION['user_id'] == $_GET['x']) {
  // The user is authorized to view the page.
  // Use PHP or whatever to generate the viewable content.
} else {
  // The user shouldn't be viewing this page. Redirect them.


That work for ya?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...