php - is passing variables through url secure?

[rudeboymcc]

Hi. I'm trying to make a website in php (mainly) witha myssql database. At the moment, if I need to send a variable to another webpage I do the following example)

localhost/usersdetails.php?userID=1


is there anyway of making this secure? surely at the moment anyone can just type that in and choose any userID they like and see all the users details?

I've tried searching but the closest thing i could find to what I want is md5 hashing, but from what I understand that's only one way, so if I hash "userID=1" I won't be able to "dehash" it in the next webpage.

Is there any hidden way (which is secure) to pass variables to other pages?

 

[Inquisitor]

What exactly do you mean when you say "send"? You could use session variables if you just want to preserve data between requests.

 

[punky_munky]

http://www.tizag.com/phpT/postget.php

 

[lookitsjonno]

normally ?id=x isn't a good idea for exactly that reason - people can mine data very easily by simply incrementing the id.

how about ?username=x instead?

to answer your original question though... to hide the url query string you'll need to pass your queries via POST not GET using a form. obviously this will get messy if you don't want forms and just a simple link.

an equally messy way would be to recieve the GET variable, store it in your SESSION array, and then header('location... to the actual page instead.

 

[Dj_Jestar]

Use sessions.

 

[Trigger]

I'd do as jonno said and pass the variable via POST instead of GET. Just have a form with hidden boxes, section the action="xx" to the next page and then just use a submit buttom as the link but give it a different name via the value attribute

<form action="nextpage.php" method="POST">
    <input type="hidden" name="id" value="1">
    <input type="submit" value="Go to next page...">
</form>

and then in nextpage.php:

$id = $_POST['id'];

 

[rudeboymcc]

and this post method is secure? Is there anyway to define the values posted manually?

looks to be a good solution.

I was trying to use sessions for a while but I had a problem. I need the session variable to only be made when the link is pressed. But I dont know how to do this. (i..e i don't want the session variable to be made when the page is loaded and hten passed when the button is pressed, because if i have loads of rows in the page, the session variables will be only the last row).

How do i code a button/link that WHEN PRESSED makes the session variable and then links to the next page? I had something like this:

<span class="phpmaker">
<a href=  
[PHP]<?php  $_SESSION["choices_MasterKey_userID"] = $x_userID;  
 ?>[/PHP]
"useredit.php">Edit</a>
</span>

This code runs the php script even before the button is pressed.

 

[Dj_Jestar]

POST is as insecure as GET, so no point using hidden forms over GET.

Hidden forms are also messy, and even if it appears insignificant, add extra bandwidth costs.

If you are viewing a list of users, and wish to have a link for each user to view details (just like these forums) GET is your only viable option.

What you can do is restrict what information is shown, namely email address etc.

Again, just like these forums do.

 

[robmiller]

I'd do as jonno said and pass the variable via POST instead of GET. Just have a form with hidden boxes, section the action="xx" to the next page and then just use a submit buttom as the link but give it a different name via the value attribute

<form action="nextpage.php" method="POST">
    <input type="hidden" name="id" value="1">
    <input type="submit" value="Go to next page...">
</form>

and then in nextpage.php:

$id = $_POST['id'];

How on earth is that any more secure than GET?

 

[rudeboymcc]

surely it's more secure becuase the user can't see the details in *** URL. whereas in the Get method you can just type in whatever values you want in the url.

is it just as easy to change the post values?

 

[Beansprout]

Yes.

You want to use session or cookie authentication to check the user is allowed to view what they're trying to view. Which means you need to log people in with a username and password

 

[rudeboymcc]

K well I'm trying to use cookies but I have a problem. Here's the code I'm using at the moment to test:

<form action="choicesedit.php" method="POST">
    <input type="hidden" name="x_choiceID" value= "<?php setcookie("x_choiceID", $x_choiceID); ?><?php echo $x_choiceID; ?>">
	
    <input type="Submit" value="Edit">

This is a table of information, and the button above is located at the end of every row. The choiceID changes as you move down the table becuase each row has a different choiceID.

The problem is, the setcookie() method uses choiceID of the last row. so even if the button is in the first row, the choiceID used will be the one for the last row. This is wierd becuase when I send the choiceID with the Post method, it's the correct one.

This suggests that the cookie is set as soon as the page is loaded and not when the button is pressed. How do i change this behaviour?

 

[Berserker]

Yes, you can't use cookies like that (well, you might be able to with javascript, but that's an entirely different story).

Using POST/GET for that is fine, since you're just sending back information from a form. Just avoid sending information that you don't have to.

I use session IDs and a database for tracking activity on my own site (just like this forum does), but it's not the easiest thing to do if you're new to PHP.

 

[punky_munky]

Yes.

You want to use session or cookie authentication to check the user is allowed to view what they're trying to view. Which means you need to log people in with a username and password

It's not *just* as easy but it isn't hard to do. It does require some knowledge whereas anyone could fiddle with a URL.

 

[rudeboymcc]

Yes, you can't use cookies like that (well, you might be able to with javascript, but that's an entirely different story).

Using POST/GET for that is fine, since you're just sending back information from a form. Just avoid sending information that you don't have to.

I use session IDs and a database for tracking activity on my own site (just like this forum does), but it's not the easiest thing to do if you're new to PHP.

can you give me some clue as to how to do it in javascript? I've searched everywhere and it seems i'm the only idiot having this problem (or paranoid enough to even think about it).

 

[toastyman]

can you give me some clue as to how to do it in javascript? I've searched everywhere and it seems i'm the only idiot having this problem (or paranoid enough to even think about it).

You can't use Javascript to do this. It has to be a language which is executed on the server, such as ASP, PHP or Ruby on Rails.

 

[Augmented]

You can't use Javascript to do this. It has to be a language which is executed on the server, such as ASP, PHP or Ruby on Rails.

Yes you can.
You just neeed to fire off a cookie setter function with whatever event handler you like e.g. http://www.javascripter.net/faq/settinga.htm on form submission or element click.

 

[Beansprout]

You can't use Javascript to do this. It has to be a language which is executed on the server, such as ASP, PHP or Ruby on Rails.

Cookies are set client-side and sent to the server with the next HTTP request so that's totally true

 

[Augmented]

Cookies are set client-side and sent to the server with the next HTTP request so that's totally true

Yep, I see what that was in response to now. I read it as not being able to set cookies via Javascript, rather than to have cookie values accessed at the same time as they're set on the client .

 

[robmiller]

To be fair, if he set the cookie when the submit button's onclick event was fired, it would be sent when the form submitted and he'd probably get the desired effect.