Make an URL &quot;obscure&quot;???

Make an URL "obscure"???

Anon

Hi,
I have created a system in which the users can save different baskets
and there is a section to see all the saved baskets.
In this section, one can also delete the basket(s).
I used the URL to pass on the values,
e.g. something like http://.../all_baskets.php?deletebasket=$basketid

The problem is that one can type a different value for the basket ID
and then delete a basket that does not belong to him!

I guess I could either make the URL "obscure", e.g. make it unreadable so that it does not happen (but I don't
know how to do that!) or try to prevent people from typing such a URL by limiting right (but again I don't know
how to do it... )-:

Help would be really appreciated!!!

Bruno

Anon

To prevent this from happeneing, you need to include in your SQL that the owner of the basket is set to the current user. A simple WHERE clause will work.

WHERE basket='$basketid' AND user='$currentuser'

I will be publishing an article on this login technology in the coming weeks, but if you'd like to see a working example, go to AaronZoller.com. I am using the same method to prevent users from deleting/viewing/etc. other users messages and articles.

And if you hide the URL value (make it obscure), it is really not hidden. All someone needs to do is view the source to the page and the hidden values will be shown.

balsdorf

Another simple idea is when you create a basket create a semi-random string (microtime the basket was created is always handy) and store that with the basket. Then when you call it like this:
all_baskets.php?deletebasket=$basketID&key=$key

Every time that page loads authenticate the key that was passed against what you have stored in the database. If a user trys to change the basketID, the keys will not match.

Good Luck!

Anon

You can use post instead of get for passing the variable. This would meen having a little client side code (in javascript or something), and a form on your page... email me for more details

Anon

Set it as a cookie. and always make the sql check customer name, customer id and basket number, the more items it checks the less chances of an accidental deletion there is.

Anon

Thanks to all of you guys, with all these good advices, I'm gonna become an expert in this topic and my site is definitely gonna be super-protected! :-)