secure php onclick
I am new to php and mySql.
I have a calendar that is generated by PHP, for a particular userID. When someone clicks a date on the calendar, I need a "detail" page to open up, showing the detail for that date for that userID. But if I use Javascript to handle the onClick, is that very secure? Can't someone view the source and change the userID to something else to see someone else's detail? But you can't handle client-side onClicks in the php page, so how is this done?
I have a calendar that is generated by PHP, for a particular userID. When someone clicks a date on the calendar, I need a "detail" page to open up, showing the detail for that date for that userID. But if I use Javascript to handle the onClick, is that very secure? Can't someone view the source and change the userID to something else to see someone else's detail? But you can't handle client-side onClicks in the php page, so how is this done?
ASKER
So a session will stay active while I navigate through the various pages of the site?
I will start researching sessions. any suggested links for beginners before I start my google exploring?
When I say secure, I wasn't thinking "extremely secure", I was just thinking that I didn't want to use a URl parameter or something "easy". But I guess in the long run I should invest research time understanding encryption.
I will start researching sessions. any suggested links for beginners before I start my google exploring?
When I say secure, I wasn't thinking "extremely secure", I was just thinking that I didn't want to use a URl parameter or something "easy". But I guess in the long run I should invest research time understanding encryption.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help. Sessions and cookies were definitely the solution. And Ray, your articles on Login and Registration have been extremely helpful.
Thanks for the points and for your kind words! ~Ray
If you are using 'userID's then you should be having a login. If you have a login with a username and password, then you should be using sessions on the server to keep track of the users. So even if that 'userID' is stolen, it should not work when that user is not logged into the application on the server. And if you are using sessions to track your users, you can store the 'userID' there instead of putting in the HTML code. You would then write the PHP code to use the 'userID' stored in the user's session to fetch the calendar data for that person.
And if security actually is important, your connection should be encrypted with an SSL/TLS certificate on your server to prevent people from reading your traffic on the network.