Reputation: 4427
Option besides using $_GET
GET is a convenient method to post the form id, post the website id or any id. However, it is insecure because it leaks out the id to the visitors.
Are there any method that I can use that is similar to GET format that i need not to submit the form but i can retrieve the id easily at the same time?
sorry, i am so green at it. how to use a session ? if use get , i can define
$get?id=aaa for each link,but how can i achieve it in session?
What i actually want to do:
In my case i want to develop several form , each one has a id on it, say formA , formB , formC ..
IF i use get i will define <form id="myform" method="get" action="verify.php?id="formA">
however, since it is insecure, how can i use session to do this?
*Ans: put the $_session[id]='formid' and get it in the same way.*
It is ok for a form , but.....
If i want to create a page that has a lot of links , how can i achieve using a session ? how can i bind the session to the link? Thank you.
Upvotes: 3
Views: 109
Answers (3)
Reputation: 3381
The GET method put the data in the URL(so that why you see them). The POST method put the data in the request body, so is not diplsayed in the adress bar. However you can easyly find out the content of the request body with browser module.
The GET and POST method are equally secure in this way. However like Alex said you could use the php session but are only usefull for data that the user won't change.
In your case, if you identified the user with and id, you just have to fill the $_SESSION['userid'] (the variable name is arbitrary), then when the user will submit the for you will retreive the user id from the session.
Edit: For your url:
http://mydomain.com?serviceid=1 call your service number one
You can set a token system, which mean for the current user you give him a hash that seems random and allow him to execute the service. Your can put this token generation at the begining of your script:
session_start(); // To start php session
// We check if the current user has a token
if ( isset($_SESSION['usertoken'] ) )
{
$token = md5( 'myubbersalt' . md5(time) ); // The token is a random string (not to random there)
$_SESSION['usertoken'] = $token; // The server now have set an action token for the user
}
Then when you will generate your page (with link to service), you add the token in the url, like this:
echo 'http://mydomain.com?serviceid=1&tok=' . $_SESSION['usertoken'];
Finally when the http://mydomain.com?serviceid=1 is called you check the token internally:
session_start(); // This should be added at the begining of your script
...
// We check if the usertoken match the service token
$canExecuteService = false;
if ( isset( $_GET['tok'] && isset($_SESSION['usertoken']) )
{
if ( $_GET['tok'] == $_SESSION['usertoken'] )
{
$canExecuteService = true;
}
}
So you have a variable telling you if you can execute or not the service. The token livelenght is the same as the php session. Plus 2 distinct user can't have the same token (in this simple generation two user can share the same token if they execute the page at the exact same time). Plus an attacker can't forge a token, because this one is generated from a variable source and is salted with a salt only knew by your website.
Regards
Upvotes: 2
Reputation: 490173
You could use $_SESSION to transmit details that the user can not modify.
Upvotes: 4
Reputation: 4209
You do not want to be using $_POST or $_GET. Please use $_SESSION.
Upvotes: 1
Related Questions
- PHP- to pass GET variable without .php extension?
- Using the $_GET variable
- alternative to $_POST
- Is there an equivalent of the $.get() method in PHP?
- How to write a function similar to $_GET?
- $_GET variable in php without using a form
- Alternative to $_GET
- Wordpress alternative to using GET?
- Echo alternative $_GET request method
- php using $_GET