Trevor
|
| Posted: 06/21/2002, 4:36 AM |
|
I want to be able to pass whatever the required information is for a page which has the Security Level set at 3 - High within the URL from a VB program. The VB program knows the UserID and the Security_level. I am using PHP. How do I do this?
This doesn't work:
http://theseowgroup/php%20webs/rac_standards/clients.ph...=1,UserRights=3
Any Ideas???
|
|
|
 |
Brent
|
| Posted: 06/21/2002, 8:19 AM |
|
Try:
http://theseowgroup/php%20webs/rac_standards/clients.ph...=1&UserRights=3
Use an "&" instead of a "," between parameters.
However you are asking to get hacked. You might as well put up a neon sign that
says "Hack Me!".<g>
Any parameter that is passed as a URL, Post, or cookie information can be modified
by the user. What happens for example if the page is displayed with "UserID=1&UserRights=3"
in the URL and the user alters it to "UserID=2&UserRights=3" or modifies the UserRights?
The page reloads with these paramaters. Can you see the "fun" you're going to have
if you pass security related information?
These fields are best suited to session variables. You can also add a checksum
to the parameters and validate the checksum when the receiving page is loaded.
This ensures none of the parameters have changed.
Brent
|
|
|
|
|
