teufel
|
| Posted: 11/13/2002, 10:24 AM |
|
Initially I had the following scenario: a grid with links to a 'record' page where the user is able to edit the record's information. Everything worked fine: the user clicked over a link and got redirected to the record form which would come up with all the info filled in.
The problem: only the records reached by clicking over the grid links should be allowed to be changed. But if the user hacks the URL at the record form he would be able to edit other records which he should *not*.
My solution: instead of putting a link inside the grid linking to the record page and pass all parameters through GET method I inserted a LABEL where the original link was. This label is then filled with a custom HTML code in which I make a FORM with only one SUBMIT BUTTON. This way I can pass all parameters by POST method, thus avoiding any more clever user to hack the URL of the destination record page.
I have now 2 problems:
1) When the record form was reached through the link, it would show up with all the record's information correctly filled, ready to be updated/deleted/... But now, when passing the parameters as hidden fields by POST, the record form shows up just EMPTY. Nothing inside! I specified at the record form that it should 'preserve POST parameters', but that didn't help.
2) A 'design' problem: the cells in which I previously had just a link and now I have a form with a button occupies tooooo much vertical space on my grid (maybe because of how the browsers format the <td><form...><input type=hidden....><input type=hidden....><input type=submit...></form></td>). So maybe you have any suggestions regarding the formatting of a form inside a table cell, or maybe even another way of avoiding the users to access the records they want by hand. Maybe just guaranteeing that the user comes from the grid page would be enough????
Please HELP!
TIA
|
|
|
 |
Andrew B
|
| Posted: 11/25/2002, 11:50 AM |
|
Forms normally have some sort of spacing, so there isn't much you can do to fix that.
1. You could encrypt the key with a fairly simple algorithm. There are many freely available on the web.
2. Why not just put the form somewhere else on the page entirely, with all the fields just sitting around waiting to be filled. You could then fill those fields with javascript fired from a link/button and submit the form. You would have to generate a function call in the link, and put all the code to fill/submit the form in a function.
...document.forms.formname.fieldname.value = 321;
...document.forms.formname.submit();
3. Check HTTP_REFERER to see if it is the page you expected the user to come from. This could be a problem if the user bookmarks the page, though.
|
|
|
|
Latifa
|
| Posted: 11/25/2002, 12:56 PM |
|
We create a new window (using javascript) from the login page, which does not have a location bar. All pages are presented within this window. User cant type in any urls or change querystrings.
Use can still see URL in status - so you can remove that too to be safer.
|
|
|
|
|
