Option other than using $ _GET

GET is a convenient way to post a form id, post a site id, or any id. However, this is insecure because it is leaking the ID to visitors.

Is there any method I can use that is similar to the GET format that I don't need to submit to the form, but I can get the ID easily at the same time?

sorry, i am so green at it. how to use a session ? if use get , i can define 
$get?id=aaa for each link,but how can i achieve it in session?


What I really want to do:

In my case, I want to develop multiple forms, each of which has an ID, like formA, formB, formC ..

IF I use get i will detect <form id="myform" method="get" action="verify.php?id="formA">

however, since it is unsafe, how can I use a session to do this?

* Ans: put $ _session [id] = 'formid' and get it the same way. *

It's ok for the form, but .....

If I want to create a page with a lot of links, how do I achieve a session? how can I bind a session to a link? Thank.


source to share

3 answers

The GET method puts data in the URL (so you can see it). The POST method puts data in the body of the request, so it is not duplicated in the address bar. However, you can easily find out the content of the request body using the browser plug-in.

The GET and POST method are equally safe this way. However, as Alex said, you can use a php session, but are only useful for data that the user won't change.

In your case, if you have identified a user with id and id, you just need to fill in $ _SESSION ['userid'] (variable name is arbitrary), then when the user submits it, you will return the user id from the session.

Edit: For your url:

http://mydomain.com?serviceid=1 call your service number one


You can set up a token system, which means that for the current user, you give him a hash that seems random and allows him to execute the service. At the beginning of your script, you can put this token:

session_start(); // To start php session
// We check if the current user has a token
if ( isset($_SESSION['usertoken'] ) )
   $token = md5( 'myubbersalt' . md5(time)  ); // The token is a random string (not to random there)
   $_SESSION['usertoken'] = $token; // The server now have set an action token for the user


Then when you create your page (with a link to the service) you add the token to the url like:

echo 'http://mydomain.com?serviceid=1&tok=' . $_SESSION['usertoken'];


Finally, when http://mydomain.com?serviceid=1 is called , you check the token inside yourself:

session_start(); // This should be added at the begining of your script
// We check if the usertoken match the service token
$canExecuteService = false;
if ( isset( $_GET['tok'] && isset($_SESSION['usertoken']) )
   if ( $_GET['tok'] == $_SESSION['usertoken'] )
      $canExecuteService = true;


So, you have a variable telling you if you can or may not perform this service. The token ruler is the same as php session. Plus 2 different users cannot have the same token (in this simple generation, two users can use the same token if they execute the page at the same time). Also, an attacker cannot spoof the token because it is generated from a variable source and is salted with a salt that only your site knows.




You can use $_SESSION

to transfer information that the user cannot change.



You don't want to use $ _POST or $ _GET. Use $ _SESSION.



All Articles