Passing values in Master-Detail forms

Anon

Hi to all,

I'm developing a master-detail drill-down application which is pretty standard and nothing fancy. The master page lists records (i.e. ID no, name, address). The detail page displays the complete record based on the selected ID no.

My problem is with the master page. For each record, I create a link to the detail page using pseudo-code:

[A HREF="Detail.php?ID="] . $ID_NO

This works fine - the detail page loads and displays the correct record based on ID_NO. The problems is I can manually change the value of ID_NO in the URL and reload the detail page. It will then load the record of another customer. I'm sure you can imagine the security loophole in this scenario.

Is there a way to workaround this? Is there a way to pass the ID_NO invisibly? If I use hidden fields or session variables, how do I know which row/record was seleced?

Many thanks!

kparker

You just need to revalidate that the user has rights to the record in question. Or, alternatively, you could include a hash of the ID_NO and some hidden value as another variable, and recalculate the hash before allowing access--this may reduce the number of queries you have to send and thus speed things up.

Anon

Thanks for your advise. I thought of validating the rights to the record but it is too much work.

I found a more simple and elegant solution. It uses session variables and redirection. I created a very generic module called DrillDown.php that takes two parameters - the record ID and the destination form. With these in mind, I'm sure you can figure it out.

<?php
session_start();

$RECNO = $ID;
session_register('RECNO');

header("Location: " . $Dest);

In master page, code the [A HREF] tag to point to DrillDown.php and pass the 2 parameters as part of the tag. For example
[A HREF="DrillDown.php?Dest=Detail.php&ID=1]

In detail page, read the $RECNO session variable. Note that detail page does not have $RECNO value in URL.

Pls. try and let me know if there are bugs/problems.

Thanks.

kparker

That's a perfectly good solution, it seems to me.