Furqan
Reputation: 1
How to stop url param manipulation
I have the following URL on a web application that I have created (currently running locally): http://localhost:8080/trustsurvey/questionView.php?question=1
The question=1 is from a GET parameter that increments each time the user clicks on the Next button.
$questionNumber = $_GET['question'];
What would be the best recommended way to hide or encode the parameter in URL after the ? thus making it difficult for a user to manipulate the URL and manually change the parameter?
Upvotes: 0
Views: 545
Answers (1)
Jeto
Reputation: 14927
You could make use of session variables instead of URL parameters.
Something like this (not "complete" code, some isset checks are missing etc):
questionView.php
<?php
session_start();
$questionNumber = $_SESSION['questionNumber'] = $_SESSION['questionNumber'] ?? 1;
?>
<form method="post" action="answer.php">
<!-- Display question $questionNumber here -->
</form>
answer.php
<?php
session_start();
$questionNumber = $_SESSION['questionNumber'];
if (answerOk()) { // This checks answer with $_POST data
$_SESSION['questionNumber']++;
header('Location: questionView.php');
die;
}
Upvotes: 3
Related Questions
- Using POST method to hide URL parameters
- PHP Retrieving Data From MySQL After Modifying URL Parameter
- Multiple URL Parameters With Same Key But Different Values
- Get All URL Parameters EXCEPT One
- Un-sanitize url in mysql or php
- How to prevent users to change url parameter in PHP?
- How to prevent SQL Injection for URL Parameter changing (DELETE Statement) PHP
- How to stop URL query string from repeating?
- php url parameters
- Preventing editing of / obscuring parameters in URLs