Help me be not so stupid...

Anon

I am a beginner to PHP and mySQL. Currently I am using PHP 3. I have a security problem. I have basically send some vars from page to page with form posts and write to a couple of different tables throughout the process. My problem is this. I have on page where a user adds/deletes records from a small answers table. I insert and delete where id = $id

If someone types in www.myhost.com/mypage?id=LH1001

they see the current selects for LH1001 and have the ability to delete records...how can I secure this process?

Thanks.

Anon

If you want only surtain users to be able to delete information,
you will have to identify those users in some way.

I suppose the infamous "sessions" could be used for this.

The basic idea is to give the "authorized" users a serialnumber, either in a cookie or in the html code.
Then you can keep track of which serialnumbers are allowed to delete,
and which information they are allowed to delete.
If someone hacks into your system using an old or fake serialnumber, you can
identify it as such.

Anon

make your php only operable by POST method. and so if someone tries to use it by GET, show them error message 🙂

here is example:

if ($HTTP_REQUEST == 'POST') {
// here do all your stuff

exit();
}
else {
echo 'sorry! you cant do that ...';
exit();
}

remember, the POST in above IF statement should be same case sensitive to what you have in FORM.

good luck,
Daarius...

Anon

Couldn't they just do a:

www.myhost.com/mypage?id=LH1001&$HTTP_REQUEST=POST

Anon

Why don't you have a password for them so they can just call it like this:
www.myhost.com/mypage?id=LH1001&password=123456
or if they call it like:
www.myhost.com/mypage?id=LH1001
then it asks them to supply a password.

Anon

Interesting idea, but HTTP_REQUEST is set by PHP as it reads the data from the browser, I don't think you can override it in your request.

Anon

NOP