Pass php parameter

Question

Good day. There are markup

<div> <h1>Статья 1</h1> <form action="#" method="POST"> <button type="submit" name="sandId">Добавить статью</button> </form> </div> <div> <h1>Статья 2</h1> <form action="#" method="POST"> <button type="submit" name="sandId">Добавить статью</button> </form> </div>

All data in the markup are displayed by means of php, pulled out of the database. Each article has its own unique number. It is necessary to make it so that when you click on the sandId button, the id of the record to which the form is attached is transferred to the file handler. Tried to do so:

  <div> <h1>Статья 1</h1> <form action="#" method="POST"> <input type="hidden" name="id" value="1"/> <button type="submit" name="sandId">Добавить статью</button> </form> </div> <div> <h1>Статья 2</h1> <form action="#" method="POST"> <input type="hidden" name="id" value="1"/> <button type="submit" name="sandId">Добавить статью</button> </form> </div>

But this option does not suit me, the values of hidden fields, or rather the id of articles, are taken from the database, the user should not see them. And he should not be able to change them directly in the browser.

When implementing security protocols, forget that you have a page.
you'd better start with the separation of logic and presentation (php and markup) in different files, it would be much easier
I just need so that when I click on a button in a recording block, there can be many of them.
I went to the id of this record, the one in which the button)

Accepted Answer · 2017-02-22T21:13:41

You can write an equation that, when generating a page with forms, would insert into the forms not the real data of record identifiers from the database, but some conditional strings \ figures. Whenever data came from a user, the same equation would calculate everything in reverse order. It is important to add some kind of "salt" that would guarantee that the decoded data belong to a record. For example, the date of creation of the record in the database. But it is easier to use encryption . Or use password hashing logic (easiest).

For example, we take from the base the identifier of the record and the date-time of the creation of this record (as a "salt"). We connect them together, we bring, for example, to the form 174_2017-23-02_23-00 (it’s best to write the record ID is not expected at the beginning, but somewhere else, between date and time. Users don’t know what and how here twist).

Further we use password_hash() ( documentation ). We $2y$10$3KYZHiFhKHNB7.yJUGXJf.zR6Z8uc4.pdPsKbTTMDoApsp8CBY5qe hash of the form $2y$10$3KYZHiFhKHNB7.yJUGXJf.zR6Z8uc4.pdPsKbTTMDoApsp8CBY5qe , which we use to output to the user in a hidden field.

When receiving data from the user, we verify what is received, what should be. For example, using password_verify() ( documentation )

If the user wants to correct something on his page, he will not be able to find out what the data is and he will not be able to do anything. The meaning, I hope, is clear.

As for hashing, if there are 30 such buttons on page 30, you will need to calculate 30 hashes to find out.
in any case, there is a certain white list on the server with which to compare.
With encryption, another story, in principle, such a scenario is possible.
But, you cannot encrypt all the fields - you need to give the user something to
I correctly understand that if I have 30 such records in the database, then I will need to pull them all out, and then sorting out and encrypting the data of each of them to compare them using password_verify () with what came from the user?
Purely theoretically, I think that such records and 30 most likely will not be typed)
Although you can also try to add another field with the date of adding to the database table, which will be hashed.
And transmit the hash of the date of addition + the hash of the secret word, for example, by concatenating these hashes.

Pass php parameter

1 answer 1

More articles: