Procedure for restricting user from typing in php url

Question

I've got a database where you can load details of a candidate through the following get request url: database/candidates/?loadcandidate=n where n is the id of the candidate to load.

Is there a common practice where you can add something to the get request which would prevent my users from being able to type in any id to access the details of candidates? I want them to only be able to access the candidate page from my search results or by bookmarking the candidate page and revisiting it later.

I could probably figure out my own eccentric way of doing this, but I'm wondering if there is a common procedure?

Answer 1

Get requests are get requests and you can't prevent users from changing get request variables.

But reading between the lines, I think the solution you're looking for is obfuscating (hiding/cloaking the intended meaning of) the userid so that it can't just be plainly accessible via changing the id incrementally, (e.g., ?loadcandidate=1/2/3/4/5/6...).

In this case, try assigning a user code so that it would be harder to pull up candidates just by guessing the ID.

Just as a simple example (which by no means should be used for production) try simple MD5 hashing and get the first 6 digit substring.

Example:

1 = c4ca42
2 = c81e72
3 = eccbc8
...

database/candidates/?loadcandidate=c4ca42 will pull up candidate with user id = 1.

So that when you access database/candidates/?loadcandidate=n, n will be something much more difficult to guess, thereby decreasing the number of random lookups exponentially. Of course this will all depend on how random the obfuscation/code actually is.

Hope this helps!