How to post data when link is selected?

Posted on 2007-07-21
Last Modified: 2012-08-14

I am setting up a PHP website for customers that allows them to view information about their account. The site is secure and users must log-on to view their details.  Certain pages are restricted based on a user's type.  Many of the details contained within this site are financially sensitive therefore security is paramount. I currently have a script that dynamically generates a table, listing all the customers associated with a particular company. The customer name is a hyperlink, that when clicked, opens a new page displaying extended details about the chosen customer. As it stands I am sending the customer ID and portfolio No via the URL and retrieving it using $_GET[] therefore the details are in plain site for all to see.

My problem is once logged in a user could potentially manually change the customer ID in the URL and view anyone's details. I am going to implement a database check but I would also prefer to POST the chosen customer's details, therefore eliminating the risk of manual tampering. Is this possible to do? Are you able to force a POST when a user selects a given link? I am using PHP5 with a MSSQL database.  Any assistance would be most appreciated.

Kind Regards
Question by:almcc8
    LVL 9

    Expert Comment

    Using a POST won't solve your problem, since the customer ID will have to be put in a "hidden" field in the form to be submitted by POST. Anyone who knows enough to right click and View Source will have access to that information.

    Here is how you do it anyway:

    <form name="form1" action="'customerdetails.php');">

      <input type="hidden" name="customerid" value="<?php echo $customerid ?>" />
      <a href="#" onclick="document.form1.submit();"><?php echo $customername ?></a>

    LVL 6

    Expert Comment


    IK agree with under_dog

    a better solution were to use sessions, so the sensible information is stored on the server. Try to use always sessions for those case.

    Author Comment

    Thank-you for the quick response. However I do have another question re: using hidden variables. If I was to use hidden variables as suggested how am I able to determine which customer has been selected? For any given company there could be up to 30 customers listed. I really am not worried about hiding the data so that user cannot read it.  What I am more concerned about is displaying the customer ID in the URL, thus allowing someone to manually change it without consent, then re-loading the page to view someone else's data. I thought if I posted the value, it would eliminate the chance of the value being changed.

    Many thanks
    LVL 8

    Accepted Solution

    almcc8: with POST, a customer can save a page to their computer locally, change
    <form action=....
    to your actual URL, and change ID inside the field in HTML, thus effectively submitting other ID as POST variable and still viewing other people's data. So your approach still has a hole in it. The only way to ensure people won't be able to see other people's data, is to cross-check their ID with the ID in the link, thus disallowing them viewing other people data. Even better is to have a link not have any ID, instead PHP script will take ID from their session variables. Thus the link will be same for everyone, yet based on their ID in the session user will only see their own details. If someone goes to that link directly without being authenticated, it will just return them "please login" page.
    LVL 9

    Assisted Solution

    Indeed, as GEM100 says, the most important place to do your authentication is on the page where the details are displayed. Check if the logged in user (their ID should be in a session variable from when they logged in) has permission to see the details of the client who's ID they are requesting ... either with POST or GET.

    Author Comment

    Thanks GEM100 & under_dog,

     I already employ the use of session variables to store the user's details at login and check this each script.  However the ID I am retrieving from the form is not the company's individual id, but rather a customer whom is associated with them. The customers are pulled from a database and rendered dynamically in a table so there is no way of knowing what values will be displayed. The user then selects the customer they wish to view extended information for. Somehow I have to transmit this data to the next script.  I just thought a link seemed the most intuitive option for the user.

    I will most definitely take you advice and include a database cross check. I suppose I have just read one too many posts re: application security most of which recommend to transmit as little information as possible in the URL! Thanks again for your assistance. This was my first post and I really appreciated the quick responses. The site is a fantastic resource.
    LVL 8

    Expert Comment

    Always happy to help. In your scenario, you may leave passing ID as $_GET variable if it is not current user's ID, but then the script should check the ID association with a company and permissions, failing this check should echo a message "permission denied" or something similar.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit ( and similar technologies have enjoyed wide adoption, making it possib…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now