Setting variable with HREF click

Anon

I've run into a slight problem with an application I'm working on. A user performs a search which will return a page with a table containing the search results. Each row of the table has a description field which is a link to more details about that particular row.

Currently when the user clicks on a description link PHP generates the URL something along the lines of <a href="<?php echo $PHP_SELF; ?>?opcode=View&req_no=<?php echo $search->[5]; ?>">

The problem is that using this method users can type in the url directly and replace the req_no with any number they wish, possibly viewing records they shouldn't be viewing.

Is there a method that anyone knows of that will allow me to set a session variable at the time the user clicks the link so that it is not able to be changed via the URL?

Any suggestions would really be appreciated and if you think you know what I'm talking about but find me slightly confusing don't let that stop you!!

Thanks in advance guys,

Matt Anderson

Anon

What you can do is check the HTTP_REFERER server variable. If the domain is from your website (or the link is from your page) then display the info. If not, print out an error or re-direct to another page.

The only downfall are browsers. Some old browsers do not send in the HTTP_REFERER variable to the server so then that way you have no idea whether the user clicked a link or whether they just typed in the link.

Another possible solution is to only display public items. Lets say req_no 3, 5, and 7 should not be seen. Then go through a switch statement and check whether req_no is 3, 5, or 7. If so, print out a 'denied' message. If not, show the resulting page.

-sridhar

Anon

There is another aproach to the problem.
Use recordnumbers that cannot easily be guessed.

Instead of using the schoolbookID (ID integer primary key auto_increment) to store the IDs, use a ( ID varchar(32)) to store the ID and somehing like this function to generate the IDs:

function getUniqueIndex( )
{
return md5( uniqid( rand() ) );
}

The function will return an ID that looks like 0a4067217dd06ec81c862035783f47a0.
Try guess that !!! 😉

Anon

Another possibility is to use sessions--you might need this anyway, and then you can require the user to log in first so you know their identity and can determine whether or not it's ok to display the record.