Posted by Peter Fox on 11/19/35 11:45

Following on from MaXX's message. . .

I use a number of approaches
(1) Instead of auto-incrementing ID use a 32 bit random number.
(Obviously you have the creation overhead of making sure you can't
retrieve the record before creating it to catch. the theoretical 1 in
24billion chance of a clash)

This DOESNT solve your problem if any other IDs are available for
inspection. eg a selection table with click on button to delete
functionality because the other IDs can be harvested. AND WORSE if you
use this ID anywhere at all eg a table of click on button to _edit_
functionality the same thing applies.

However it WILL work for customer accounts where individual customers
never get to see a list of other customers. They can't then think let's
change ".../custdetails.php?custid=42" to "....?custid=43"

(2) Keep track of page visiting history in the session and boot out
people coming back via bookmarks without going through the right path.
Here's the outline:
In page 1
$_SESSION['LastPage']='Page1';
At top of page 2 :
if($_SESSION['LastPage']!='Page1'){...

(3) Wrap up each of your actions for each page in a handy object or
array and pop them into the session keyed by a random number. Use this
in your links
<a href="screenserver.php?A=2342542542">Delete record 1</a>
<a href="screenserver.php?A=71452726">Delete record 2</a>
Then in screenserver.php you do (in outline)
$a = $_GET[A];
$action = $_SESSION[actions[$a]];
$action = $_SESSION[actions] = array();
if($action->do=='del'}{....
if($action->do=='edit'}{....
$id = $action->id;


(4) If you want persistent links, for example you send a contact an
email with a "visit http:// ...?A=123435245" in it then do something
similar in a database table.


**** PS ****
I'm not doing much PHP at the minute. I've had the objects for (3) and
(4) working but never bothered to finish them off for public
consumption. If there's anyone who wants to finish them off then you
can probably work out the real email address if you feel like dropping
me a line.


--
PETER FOX Not the same since the cardboard box company folded
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

• Next in forum: Re: Help with posting form fields
• Prev in forum: Help with posting form fields
• Thread view: Re: Safely deleting a db record with php

[Reply to this message]