You are here: Re: How to update a database row from a form? « PHP Programming Language « IT news, forums, messages
Re: How to update a database row from a form?

Posted by Jerry Stuckle on 09/28/45 12:01

Harris Kosmidhs wrote:
> Though I program in php for some years, I started thinking a lot about
> the security in my php scripts.
>
> When I add/insert/delete to a form I usually have a hidden input box
> with the (auto-increment id) of the record I want to update. So when I
> UPDATE I put where id=intval($id).
> This is quite a security risk but these forms are administration forms,
> assuming that the administrator won't edit hidden values and mess with
> it's data.
>
> But what happens if this is a public form? How can you avoid having the
> id in a hidden (and easily changed) form field? What techniques do
> exist? I have some in mind as a workaround (like puting id in $_SESSION)
> but I would like to hear other opinions.
>
> Thanks
>

Never send critical information like this to the browser in a hidden
field. Rather, put it in the session.

Alternatively, you could encrypt it before sending it to the browser,
then decrypt it when it comes back. But that's less safe.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация