Hi, I have some code which loops and prints links. Each link has different values for its variables on the end of the URL. As someone pointed out the other day it would be better for security to use a post instead, I just cant think of a way to do it with this code. The code is this:

$rota_type_query = "SELECT rota_id, rota_name, no_required from rota_type";
$rota_type_result = mysql_query($rota_type_query);
$num_rows = mysql_num_rows($rota_type_result);

if($num_rows>0)
{
print "<table>";
while($rota=mysql_fetch_array($rota_type_result))
{
$rota_id=$rota["rota_id"];
$rota_name=$rota["rota_name"];
$no_of_people=$rota["no_required"];
print "<tr><td>$rota_name </td><td><a href='edit_rota_type.php?rota_id=$rota_id&rota_name=$rota_name&no_of_people=$no_of_people' target='_self'>edit</a></td>";
print "<td><a href='delete_rota_type.php?rota_id=$rota_id&rota_name=$rota_name&no_of_people=$no_of_people' target='_self'>delete</a></td></tr>";
}
}



Thanks, Andy.

Think we'll need more code. I don't even see where you have declared a $_GET variable . .

That is pretty much all of the code, all of the "getting" is done on the page that the link refers to. As it is, it works fine but I don't want to compromise with security. The only way I could think to do this was to turn it into a form and have every variable that is appended to the url as a hidden field. But, as it is at teh moment the url is generated on teh fly so i cant think how to account for that in terms of a form.

the variables sent via the query string are the GET variables.
you could use javascript and a hidden form , eg

<a href="#" onclick="submitForm('var1',var1','etc');">link</a>

where submitForm fills in hidden fields in your hidden form and document.formname.submit()'s that form , if you want to go that path ask in the javascript forum.


I personally would not bother , query strings make the world go around ;) and your mission should you accept it, is to make sure that if someone alters your query string that it has no adverse effects on the rest of your script.

Making your script use POST is NO more secure (though an extra bit of work for the 'attacker') than GET

time spent making your script secure with the assumption that an attacker can alter any incoming data is better spent than time obfuscating information which adds no real security to your script.

I personally would not bother , query strings make the world go around ;) and your mission should you accept it, is to make sure that if someone alters your query string that it has no adverse effects on the rest of your script.

Making your script use POST is NO more secure (though an extra bit of work for the 'attacker') than GET


Thanks for the helpful reply! As u said above, if there is no point in terms of security in using post rather than get, how would I go about ensuring that if the user tries to edit the query string it doesnt mess things up?
Thanks again, Andy.

That depends on the application. In your example, you would pass the id to a database record per GET, which is fine. Assuming that this id is always a positive number, I would validate in my code that the incoming value of $_GET['id'] is actually in a numerical format.

A good and needed measure is to always use addslashes() or mysql_escape_string() for values that will be used in SQL queries, to prevent any SQL injection attack. Quick example:


$password = $_GET['password'];
$sql = "SELECT name FROM users WHERE password = '$password'";
$result = mysql_query($sql);

if (mysql_num_rows($result) == 1) {
echo 'User authenticated';
}


The code above is bad, because you could taint the value of "password" in the query string, and get unauthorized access through this faulty login routine. Don't do this!

Better:


$password = addslashes($_GET['password']);
// as before