Posted by Hendri Kurniawan on 01/02/07 23:00

Unless there are other solutions that I'm not aware of:
a) Short answer. No
b) - Checking whether the request are mal-formed. (example: a request
must always have tid and user).
- Authenticate user before retrieving their ticket? (Inferring
from the URL, you are trying to retrieve an entry).
- Take precaution of SQLInjection

Just my 2cents,

Hendri Kurniawan


geek7 wrote:
> Hello all! I have written a helpdesk ticket webapp which uses many
> javascript calls to different php scripts to update a mysql database.
> My question is, a) is there a way to prevent access from users trying
> to access the php scripts via a URL..ex..
>
> http://www.???.org/scripts/getTickets.php?tid=3234&user=jdoe
>
> and if so, b) what is the best way to do this? I can't hide these in a
> different, non-web directory because then I can't access the scripts
> once the page loads. I'm sure this is a simple yes there is or no
> there isn't a way type question, but I can't figure out what to do.
> Any input is greatly appreciated, and if I missed this in a previous
> post I apologize, I tried searching and couldn't find any posts related
> to this. Thanks!!
>

[Back to original message]