php - is passing variables through url secure?

rudeboymcc · 31 Mar 2006 at 00:59

Hi. I'm trying to make a website in php (mainly) witha myssql database. At the moment, if I need to send a variable to another webpage I do the following

example)

localhost/usersdetails.php?userID=1

is there anyway of making this secure? surely at the moment anyone can just type that in and choose any userID they like and see all the users details?

I've tried searching but the closest thing i could find to what I want is md5 hashing, but from what I understand that's only one way, so if I hash "userID=1" I won't be able to "dehash" it in the next webpage.

Is there any hidden way (which is secure) to pass variables to other pages?

rudeboymcc · 31 Mar 2006 at 13:33

and this post method is secure? Is there anyway to define the values posted manually?

looks to be a good solution.

I was trying to use sessions for a while but I had a problem. I need the session variable to only be made when the link is pressed. But I dont know how to do this. (i..e i don't want the session variable to be made when the page is loaded and hten passed when the button is pressed, because if i have loads of rows in the page, the session variables will be only the last row).

How do i code a button/link that WHEN PRESSED makes the session variable and then links to the next page? I had something like this:

Code:

<span class="phpmaker">
<a href=  
[PHP]<?php  $_SESSION["choices_MasterKey_userID"] = $x_userID;  
 ?>[/PHP]
"useredit.php">Edit</a>
</span>

This code runs the php script even before the button is pressed.

rudeboymcc · 31 Mar 2006 at 16:47

surely it's more secure becuase the user can't see the details in *** URL. whereas in the Get method you can just type in whatever values you want in the url.

is it just as easy to change the post values?

rudeboymcc · 31 Mar 2006 at 19:42

K well I'm trying to use cookies but I have a problem. Here's the code I'm using at the moment to test:

Code:

<form action="choicesedit.php" method="POST">
    <input type="hidden" name="x_choiceID" value= "<?php setcookie("x_choiceID", $x_choiceID); ?><?php echo $x_choiceID; ?>">
	
    <input type="Submit" value="Edit">

This is a table of information, and the button above is located at the end of every row. The choiceID changes as you move down the table becuase each row has a different choiceID.

The problem is, the setcookie() method uses choiceID of the last row. so even if the button is in the first row, the choiceID used will be the one for the last row. This is wierd becuase when I send the choiceID with the Post method, it's the correct one.

This suggests that the cookie is set as soon as the page is loaded and not when the button is pressed. How do i change this behaviour?

rudeboymcc · 1 Apr 2006 at 11:17

Berserker said:
Yes, you can't use cookies like that (well, you might be able to with javascript, but that's an entirely different story).

Using POST/GET for that is fine, since you're just sending back information from a form. Just avoid sending information that you don't have to.

I use session IDs and a database for tracking activity on my own site (just like this forum does), but it's not the easiest thing to do if you're new to PHP.

can you give me some clue as to how to do it in javascript? I've searched everywhere and it seems i'm the only idiot having this problem (or paranoid enough to even think about it).