Hide URL data and change the view

Question

Hide URL data and change the view

Navigation

#1 by (4 votes)
#2 by (1 votes)

2

I'm developing a system, where I pass a value into a variable and load it into my url, through the form using the POST method, so I have the Url:

$url = "../usuario/detalhamento.php?foo=$id";
echo "<td><center><a href='$url' class='btn btn-primary btn-block
value='$id'>$id</a></center></td>";'

There, it works beautiful, but my url on the page I called looks like this:

link

The problem of leaving this is that, anyone can reach out and type an ID at the end and access other information. What I wanted was to know how to hide everything I have after the "?" or replace everything with "#" for example, I just did not want it to show.

php javascript

asked by anonymous 04.11.2015 / 13:22

2 answers

Count Mysql records SQL has no results after using bind

score 4 · Answer 1

The problem of leaving this is that, anyone can reach and enter an ID at the end and access other information.

Let's start here.

First of all this is a safety factor, not visibility. That is, suppose that the user X has access to the ID's records: 3, 2 and 5 . The Y user has access to ID's : 8 and 1

If the user X type in the URL the ID 8 it is your security layer's role to verify that it has permissions to view the information of that ID .

Let's pretend:

In a ballad, where there is VIP area and TRACK how are people identified who have access to VIP area? In the case per bracelet. If there was no such "security" all of the lane could enter the VIP, correct?

This ideology should be enforced on your system. If the user types a random ID in the URL, their application should process their access to that record, not try to hide the ID from it.

What I wanted was to know how to hide everything after the "?"

There is no need for this. Visibility brings no problems if you have a back-up layer. You are reversing the balls.

Considerations

The important thing is not the visibility of the ID in the URL, but the ACL of your application.

SEO

Look for some articles on SEO too, so it is not recommended to work with numbers in the URL, rather SLUGS.

score 1 · Answer 2

I developed a system for a company that would work with financial calculations, to prevent the user from trying to change a record without authorization I created a logic something like this:

$securityHash = sha1($idUsuario . $nivelAcesso . $url);

Whenever he accessed a link, the link would look like this:

detalhes.php/1/f6ds8dsSAFsa768sa6f786sfa

It would be the same as this:

detalhes.php?id=1&sh=f6ds8dsSAFsa768sa6f786sfa

At the time of rendering the response, I generated the hash on the server, and compared that to the URL. So I knew that the users who were there, could only receive the hash X due to being accessible only as administrator, or any other group.

And if the hash was declined, I created a logic to immediately block the user's access and to remove it from the system.