Hidden Fields?

jesuslover037

Hey guys, I'm creating a database-driven application. It's been working great, however, I noticed a HUGE security bug--When a user clicks the edit user info page, the user's id number(which is used by the database to notify which user must be edited ex: // UPDATE WHERE id=x //) is sent through a $GET statement instead of a $POST. This is a huge security risk--rather, guarantee, because anyone could simply enter another id field into the address bar and edit another user. So I want to use a post. Here's the problem.

I basically have a link that looks like this:

Now, I have a session variable from which the login id will come:

$school_id = $_SESSION['id'];

What I want is for, when the user clicks the link, the $school_id variable is sent by a $_POST. From what I've heard, however, you can't use post without using a form. So could I somehow use a hidden form? Any help on this issue would be greatly appreciated!

NogDog

You could make a form with the hidden field, then use CSS styling to make the submit button look like link text. Or, for that matter, make it look like a button, since the users probably won't care that much which it looks like. 🙂

However, note that this does not really do anything to improve security. Anyone looking to hack your site will undoubtedly know enough to simply do a "view source" on the web page with the form to see the hidden field's name and value, and could easily submit his own HTTP request with whatever post values he'd like to send.

bradgrafelman

jesuslover037 wrote:
anyone could simply enter another id field into the address bar and edit another user.

But the same can be said about data sent via $_POST. Using one isn't more 'secure' as compared to the other.

If the id is already stored in a session variable, why even include in the form at all? Why not just pull the ID from the session when building your DB query to update the info?

EDIT: Dang! Didn't beat NogDog this time. :p

jesuslover037

Thanks guys, it honestly slipped my mind about just putting the session information! This will work for now, but I have some other values that won't be stored in sessions that need to be secure as well. Thanks for the info.