The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/printthread.php 16 require_once



UserSpice
securing url id's - Printable Version

+- UserSpice (https://userspice.com/forums)
+-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23)
+--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26)
+--- Thread: securing url id's (/showthread.php?tid=1169)



securing url id's - eforbes - 10-10-2018

I am really concerned about showing url id's to view details for a product that i am setting up.  Is there a way in US to hide or make it more secure?

This is what i have:  <a href="product_details.php?transac_id=<?php echo $product['id']?>">Product Name</a>


RE: securing url id's - Brandin - 10-13-2018

You can POST to the details page but your tokens will break if the user tries to refresh. That would be the only way, and even then you'd have to pass the ID variable back through the form which would be in a public way.


RE: securing url id's - jtullett - 10-13-2018

(10-10-2018, 09:53 PM)eforbes Wrote: I am really concerned about showing url id's to view details for a product that i am setting up.  Is there a way in US to hide or make it more secure?

This is what i have:  
Code:
<a href="product_details.php?transac_id=<?php echo $product['id']?>">Product Name</a>

You could maintain a session table perhaps? Generate a nonce which maps to the product ID, store it in the database or the php session (edit: or both, probably; you want the nonce in $_SESSION or a cookie, and the mapping in a database table). Your link would then be
Code:
<a href="product_details.php?transac_id=<?php echo $nonce?>">Product Name</a>

Your product_details.php page can then look up the nonce in the session or db to retrieve the product ID. Just generate hashes or random strings for the nonce, and there'll be no way to reverse engineer or expose the product IDs. Think about likely hash collisions if you're doing it yourself.
I'm at a bit of a loss as to _why_ you'd want to do that, but hey, it's probably doable Smile


RE: securing url id's - Brandin - 10-14-2018

If you are going to hide the product ID your best solution in my opinion would be the one just suggested. However I also agree I don't see any reason or security risk in exposing the Product ID.