Newbie Help - Hide URL? - PHPBuilder Forums

Newbie Help - Hide URL?

Anon

I've written a very basic classified advertising script that allows visitors (once registered) to place, modify and delete their classified ads.

However, I'm stumped when it comes to securing the users posts. I'm not using .htaccess, I'm simply using MySQL to verify registered users. Therefore when a user logs in to modify an ad, the url looks like this:

http://www.mysite.com/place.php?userid=1

As it stands, if someone were to type in "http://www.mysite.com/userid=34" they would end up being able to modify another users ads.

Is there a way to prevent this without getting into .htaccess?

If not, how would I go about securing the site?

Your help will be much appreciated!

Anon

sessions work well and are much more secure than that.

http://www.php.net/sessions

cordex

And if you don't like the standard PHP sessions, roll your own. I built a session based security handler using MySQL that works like a charm (wrote it before PHP introduced sessions or I probably wouldn't have gone to the trouble).

Anon

You don't need to hide the URL. Just make a login script and send a cookie to the users computer. In there you should store the UserName and the Password.

When a user goes to modify their ad you should take the variable 'userid' that you provide in the URL and see if the password for it in the database is the same as the one in the cookie you sent.

Or you can check if the 'userid' variable is the same as the one in the cookie. This is probably the better way if you are going to have many users. The more users you have the greater the chance of two users having the same password.

Anon

Actually, I just realized something. You should check both, the password and the userid. That way if the person modifies the cookie and changes the userid in there you will still be able to check if the password is the same. And if he changed the password then you can't do anything about that. Because he already has the password to the account.