Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have list of rows that I have fetched using mysql_fetch_array(). Now I have created hyperlink of these values but problem is I don’t want to send id through hyperlink. That is if item onl ist is clicked it navigate to view.php but values are send through hidden variable.
Is there any way to do so? If not how can I send values through addressbar such that values are not edited by viewer? that is id is not edited by user…
Basically you want to either a.) obfuscate the ids or b.) restrict the ids a user can view.
For achieving the former, you could generate a random hash for each entry in the database that is much longer than the id and very hard to guess (
hash('sha512', time() + $row['id'])). You can than use these unique hashes instead of the ids in your links.The other approach depends highly on your application: you can keep track of the ids that you provided to the user in your session and deny the page request (send an HTTP 403 response) if the id was not in his list. An attacker might call other pages first, though (if this is possible in your application), to fill this link list in his session.
Either way, you are not guaranteed to succeed, but you can make the attack much harder.
The only method of achieving your goal for sure is to force your users to log in and decide who can see which object per user (again, if this is possible in your application).