Posted by bob.chatman@gmail.com on 01/29/07 21:07

On Jan 29, 10:39 am, Rik <luiheidsgoe...@hotmail.com> wrote:
> Don Freeman <freem...@sonic.net> wrote:
> >> Users of this web site can register and create their own profile. Each
> >> user can also register their diary entries.. Here is the problem:
> >> index.php?mode=diary&id=1, a user can hack this URL to get access to
> >> another users diary -> then the user could modify the diary of another
> >> user, which is something I want to avoid.
>
> > Have you tried using POST instead of GET? That way you don't put the
> > passed
> > variables in the URL.That would only give a false sense of security, it's just as unsafe.
> --
> Rik Wasmus

The truth is - there is no way to 100% defeat this. Being a web
applicaiton there are tons of tools that allow people to modify the
POST parameters, especially if they have a couple ounces of grey
matter and hit google. The tools exist for IE and FFOX, and most
versions of linux have browsers that let you monitor and edit
parameters in their respective browsers as well.

The solution to the above issue is a) use a session if you are going
to be passing around important information that you dont want changed
directly by the user (still able to be modified but it is kept on the
server so there is less chance,) and b) POST if you are submitting a
form that has sensative information.

Sessions will also make the choice to use the POST or GET to pass
session ID, so you dont have to worry about that either.

Bob

[Back to original message]