Hi all,
help me how to prevent user changes the parameter id through url parameter?
i have an application say “form_Employee”
this application has ID that is passed from grid_Employee. but, unfortunately, in form_Employee itself, user can changes the ID by typing form_Employee?index.php?id=XXX
i don’t want let this happen, because the data is personal and can’t be seen by all people.
thanks
Dholep
if its global variable try changing the GET to POST and see what happens
moreover, if you care about this, you should restrict access to this user on that record using resections like security module based permissions.
[QUOTE=MikeDE;33230]if its global variable try changing the GET to POST and see what happens
moreover, if you care about this, you should restrict access to this user on that record using resections like security module based permissions.[/QUOTE]
Hi Mike,
thanks for the reply
that application can be accessed by all people, but what i want is, user can not changes the ID by typing in the url…
this application is triggered by grid using Grid link to application… what do you mean suggest to change GET to poST? 
regards
Dholep
Dholep,
If you want to disable the URLs then simply turn off “Friendly URL” capability.
Dave
[QUOTE=daveprue;33236]Dholep,
If you want to disable the URLs then simply turn off “Friendly URL” capability.
Dave[/QUOTE]
Hi Thanks Dave,
i’ve tried that one… and it’ll be http://friendly-URL/
but, user still type like this one http://friendly-URL/index.php?id=XXX ==> this XXX he attempts to change his ID
Turn OFF not ON
oooops, missreading
what do you mean turn off the friendly-url? before, i let it blank… does it mean turn off??
thanks
Regards
Dholep
Dave, dholep, friendly URL will not do what dholep wants.
see, if you want to remove it from the URL only then try in global variables POST and GET thing, didn’t try it but interesting to tell what you will get. This basically doesn’t pass the parameters in the URL itself but uses alternative http header.
another idea is when you have a menu application at start of the project, this will prevent the URL to show all times, it will show “serverpath/projectpath/menu” and will not change when user is working on your project
but (a big but) if you want to DISALLOW the user to type in the url and gets the record which he is not supposed to see, then you have to apply different methodology to get this done, like security and permissions.
because even if you managed to remove the id from the URL, but you have someone who is IQ3+ will check your page source code and type the url with different ID and will still work.
[QUOTE=MikeDE;33242]Dave, dholep, friendly URL will not do what dholep wants.
see, if you want to remove it from the URL only then try in global variables POST and GET thing, didn’t try it but interesting to tell what you will get. This basically doesn’t pass the parameters in the URL itself but uses alternative http header.
another idea is when you have a menu application at start of the project, this will prevent the URL to show all times, it will show “serverpath/projectpath/menu” and will not change when user is working on your project
but (a big but) if you want to DISALLOW the user to type in the url and gets the record which he is not supposed to see, then you have to apply different methodology to get this done, like security and permissions.
because even if you managed to remove the id from the URL, but you have someone who is IQ3+ will check your page source code and type the url with different ID and will still work.[/QUOTE]
Hi Mike,
thank you for your explanation…
yes, we can deceive it by giving the menu so the url is hide by iframe…
another way you said using POST and GET method -> i don’t understand since this application is called by grid link to application and id was parameter.
okay just give it a try, if you have a global variables, there is POST and GET, try to play with them, see what happens.