Solved

secure php onclick

Posted on 2013-06-11
6
237 Views
Last Modified: 2013-07-03
I am new to php and  mySql.

I have a calendar that is generated by PHP, for a particular userID.  When someone clicks a date on the calendar, I need a "detail" page to open up, showing the detail for that date for that userID.  But if I use Javascript to handle the onClick, is that very secure?  Can't someone view the source and change the userID to something else to see someone else's detail?  But you can't handle client-side onClicks in the php page, so how is this done?
0
Comment
Question by:KCTechNet
  • 2
  • 2
  • 2
6 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39240249
Two things.  Why does a calendar pop-up need to be secure?  And onClick is a javascript event, nothing else.

If you are using 'userID's then you should be having a login.  If you have a login with a username and password, then you should be using sessions on the server to keep track of the users.  So even if that 'userID' is stolen, it should not work when that user is not logged into the application on the server.  And if you are using sessions to track your users, you can store the 'userID' there instead of putting in the HTML code.  You would then write the PHP code to use the 'userID' stored in the user's session to fetch the calendar data for that person.

And if security actually is important, your connection should be encrypted with an SSL/TLS certificate on your server to prevent people from reading your traffic on the network.
0
 

Author Comment

by:KCTechNet
ID: 39240260
So a session will stay active while I navigate through the various pages of the site?

I will start researching sessions.  any suggested links for beginners before I start my google exploring?

When I say secure, I wasn't thinking "extremely secure", I was just thinking that I didn't want to use a URl parameter or something "easy".  But I guess in the long run I should invest research time understanding encryption.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 39240300
Sessions will stay active if you keep them active.  Here is everything you need to know:  http://us1.php.net/manual/en/book.session.php  The first most important thing you need to know about sessions is that session_start() must be at the top of every page which means that the pages in the session have to be PHP pages.  The default timeout is 24 minutes.  That means if there is no activity that resets the session timer in 24 minutes, then it is available to be expired.

And you don't have to understand encryption to use SSL/TLS.  You do have to buy the certificate and install it on your website.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39240963
You have a lot of moving parts here, and being new to PHP may somewhat complicate the work process.  This article teaches some of the ways to get started with PHP and SQL, and leads you to some learning resources.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html

HTTP is a client-server protocol.  The use of JavaScript can "blur" this fact.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

If your server performs some kind of client authentication, you can set the client-id in the session.  When there is a request for a calendar entry, your script can check the client-id and the calendar data base, and use a rules-based approach to determine whether it is OK to display the calendar information.  This is not rocket science, but it's rather advanced design and programming.  You might want to have a data-base administrator help you set this up.

HTH, ~Ray
0
 

Author Comment

by:KCTechNet
ID: 39297982
Thanks for your help.  Sessions and cookies were definitely the solution.  And Ray, your articles on Login and Registration have been extremely helpful.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39298007
Thanks for the points and for your kind words! ~Ray
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now