Announcement

Collapse
No announcement yet.

How to prevent fill the parameter through url parameter

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to prevent fill the parameter through url parameter

    Hi all,

    help me how to prevent user changes the parameter id through url parameter?
    i have an application say "form_Employee"
    this application has ID that is passed from grid_Employee. but, unfortunately, in form_Employee itself, user can changes the ID by typing form_Employee?index.php?id=XXX
    i don't want let this happen, because the data is personal and can't be seen by all people.


    thanks

    Dholep
    Last edited by dholep; 02-25-2015, 05:41 AM.

  • #2
    if its global variable try changing the GET to POST and see what happens

    moreover, if you care about this, you should restrict access to this user on that record using resections like security module based permissions.

    Comment


    • #3
      Originally posted by MikeDE View Post
      if its global variable try changing the GET to POST and see what happens

      moreover, if you care about this, you should restrict access to this user on that record using resections like security module based permissions.
      Hi Mike,

      thanks for the reply
      that application can be accessed by all people, but what i want is, user can not changes the ID by typing in the url..
      this application is triggered by grid using Grid link to application.. what do you mean suggest to change GET to poST?

      regards
      Dholep

      Comment


      • #4
        Dholep,

        If you want to disable the URLs then simply turn off "Friendly URL" capability.

        Dave
        Dave Prue
        Code Whisperer
        Lahar International Corp
        www.lahar.net

        Comment


        • #5
          Originally posted by daveprue View Post
          Dholep,

          If you want to disable the URLs then simply turn off "Friendly URL" capability.

          Dave
          Hi Thanks Dave,

          i've tried that one.. and it'll be http://friendly-URL/
          but, user still type like this one http://friendly-URL/index.php?id=XXX ==> this XXX he attempts to change his ID

          Comment


          • #6
            Turn OFF not ON
            Dave Prue
            Code Whisperer
            Lahar International Corp
            www.lahar.net

            Comment


            • #7
              Originally posted by daveprue View Post
              Turn OFF not ON
              oooops, missreading

              what do you mean turn off the friendly-url? before, i let it blank.. does it mean turn off??


              thanks

              Regards
              Dholep

              Comment


              • #8
                Dave, dholep, friendly URL will not do what dholep wants.

                see, if you want to remove it from the URL only then try in global variables POST and GET thing, didn't try it but interesting to tell what you will get. This basically doesn't pass the parameters in the URL itself but uses alternative http header.


                another idea is when you have a menu application at start of the project, this will prevent the URL to show all times, it will show "serverpath/projectpath/menu" and will not change when user is working on your project

                but (a big but) if you want to DISALLOW the user to type in the url and gets the record which he is not supposed to see, then you have to apply different methodology to get this done, like security and permissions.

                because even if you managed to remove the id from the URL, but you have someone who is IQ3+ will check your page source code and type the url with different ID and will still work.

                Comment


                • #9
                  Originally posted by MikeDE View Post
                  Dave, dholep, friendly URL will not do what dholep wants.

                  see, if you want to remove it from the URL only then try in global variables POST and GET thing, didn't try it but interesting to tell what you will get. This basically doesn't pass the parameters in the URL itself but uses alternative http header.


                  another idea is when you have a menu application at start of the project, this will prevent the URL to show all times, it will show "serverpath/projectpath/menu" and will not change when user is working on your project

                  but (a big but) if you want to DISALLOW the user to type in the url and gets the record which he is not supposed to see, then you have to apply different methodology to get this done, like security and permissions.

                  because even if you managed to remove the id from the URL, but you have someone who is IQ3+ will check your page source code and type the url with different ID and will still work.
                  Hi Mike,

                  thank you for your explanation..
                  yes, we can deceive it by giving the menu so the url is hide by iframe..
                  another way you said using POST and GET method -> i don't understand since this application is called by grid link to application and id was parameter.

                  Comment


                  • #10
                    okay just give it a try, if you have a global variables, there is POST and GET, try to play with them, see what happens.

                    Comment

                    Working...
                    X