0

I have a form that is populated by data from a MySQL database. To make an update/edit to the form I would like to use the primary key of that record. How can I pass the primary key to the page securely once the page is submitted. I do not want to use $_GET as any user can change this on the URL and embedding the primary key in a hidden form field can also be sabotaged and is visible in the html source. The action is being done on the same page(see code block below). The processing is being done on the same page so I am not sure whether sessions will work.

//Load the data from the database
  if(isset($_GET['menu_id'])){
       $menu_id = (int)$_GET['menu_id'];
       $menu = new Menu();
       $menu_item = $menu->get_menu_items_by_id($menu_id);
  }
  else{
       //The user has possibly edited the URL
       $message = "Please select an option to edit";
       redirect_to($PHP_SELF . '?message=' . $message);
  }
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>">

<div>
<label>Name</label>
<input type="text" name="name" value="<?php echo $menu_item->name ?>">
</div>


<div>
<label>Title</label>
<input type="text" name="title" value="<?php echo $menu_item->title ?>">
</div>


<div>
<label>Is default page</label>
<input type="radio" name="is_default_page" value="1" 
    <?php 
        if($menu_item->is_default_page == 1) 
            {
            echo "checked"; 
            }?>
     >Yes
<input type ="radio" name="is_default_page" value="0" 
        <?php 
        if($menu_item->is_default_page == 0) 
            {
            echo "checked"; 
            }?>

     >No    
</div>

<div>
<label>Page name</label>
<input type="text" name="page" value="<?php echo $menu_item->page ?>" />
</div>

<div>
<label>Menu type</label>
<select name="menu_type">
    <?php
    //Display the options of the menu types available
    $menu_type_array = $menu->get_menu_types();
    draw_select($menu_type_array, 'name', 'id', $menu->menu_type_id);
    ?>
</select>
</div>

<div>
    <label>Page type i.e what is the page used for</label>
    <select name="page_type">
        <?php
        $page = new Page();
        $page_type_array  = $page->get_page_types();
        draw_select($page_type_array, 'name', 'id', $menu->page_type_id)
        ?>
    </select>
</div>

<div>
    <label>Position</label>
    <select name="position">
        <?php
        //Count the number of menus in the database

        $number_of_menu_items = $menu->count_menu_items() + 1;
        for($i=1; $i<=$number_of_menu_items; $i++){
            echo "<option value=\"{$i}\"";
            if($i==$menu->position){
                echo "selected = \"selected\"";
            }
            echo ">";
            echo "{$i}";
            echo "</option>";
        }

        ?>
    </select>
</div>

<div>
    <input type="submit" value="Add Menu" name="edit_menu" />
</div>


<form>
Improve this question
2
  • You should escape your output. Nothing seems to stop me from entering a page title of <script>alert('hi there')</script> Commented Sep 5, 2012 at 8:59
  • @Jack. Thx. Since I started using prepared statements, I stopped :(. Tried it on my input and to my amazement ... Thanks again Commented Sep 5, 2012 at 10:28

2 Answers 2

Reset to default
2

What is the concern here? Yes, a user can change the id of the record being edited, so the entered data will be saved to another record.

...

So what? It's not any different from the user going to the page of that other record and editing it there directly. You still have access controls in place that check if the user is allowed to edit the record to begin with, right? You also have data validation in place that validates that the submitted data is valid for the specific record, right?

Then there's no real concern here. If the user is able to edit a particular record, he's able to do so one way or another. Simply putting the id in the URL is perfectly sufficient.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the quick response. I might need to add user rights to accomplish the level of security that I want. I do not want users using the GET or hidden variables to make changes to fields .
0

If a use can easyly change your $_GET or $_POST datas, it is not a security issue. In fact, you can put it on your $_GET url if it is only a display request (and, of course, in that case, your php code has to ensure that it can be displayed by the user), and on your $_POST datas if you want to modify the datas stored in your data base.

It is the purpose of get and post request, do not try to invent something with an other tool. It will be a mess to keep it working in the future.

Improve this answer

2 Comments

Thanks. However having the capacity to $_GET or $_POST data can be a security issue especially if the data is unique to different users. Changing a value in the GET variable can give you access to records for another user. In my case, I will need to add user rights so that I get the level of security that I require.
not at all. It is up to you to check if the current user can access to the data he requires.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.