The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
securing url id's
#1
I am really concerned about showing url id's to view details for a product that i am setting up.  Is there a way in US to hide or make it more secure?

This is what i have:  <a href="product_details.php?transac_id=<?php echo $product['id']?>">Product Name</a>
  Reply
#2
You can POST to the details page but your tokens will break if the user tries to refresh. That would be the only way, and even then you'd have to pass the ID variable back through the form which would be in a public way.
  Reply
#3
(10-10-2018, 09:53 PM)eforbes Wrote: I am really concerned about showing url id's to view details for a product that i am setting up.  Is there a way in US to hide or make it more secure?

This is what i have:  
Code:
<a href="product_details.php?transac_id=<?php echo $product['id']?>">Product Name</a>

You could maintain a session table perhaps? Generate a nonce which maps to the product ID, store it in the database or the php session (edit: or both, probably; you want the nonce in $_SESSION or a cookie, and the mapping in a database table). Your link would then be
Code:
<a href="product_details.php?transac_id=<?php echo $nonce?>">Product Name</a>

Your product_details.php page can then look up the nonce in the session or db to retrieve the product ID. Just generate hashes or random strings for the nonce, and there'll be no way to reverse engineer or expose the product IDs. Think about likely hash collisions if you're doing it yourself.
I'm at a bit of a loss as to _why_ you'd want to do that, but hey, it's probably doable Smile
  Reply
#4
If you are going to hide the product ID your best solution in my opinion would be the one just suggested. However I also agree I don't see any reason or security risk in exposing the Product ID.
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)