Passing parameters in URL

Diez B. Roggisch deets at nospam.web.de
Wed Feb 3 23:10:19 CET 2010


Am 03.02.10 19:01, schrieb Alan Harris-Reid:
> I have a web-page where each row in a grid has edit/delete buttons to
> enable the user to maintain a selected record on another page. The
> buttons are in the form of a link with href='/item_edit?id=123', but
> this string appears in the URL and gives clues as to how to bypass the
> correct sequence of events, and could be risky if they entered the URL
> directly (especially when it comes to deleting records).
>
> Is there another way of passing a record-id to a method
> a) without it appearing in the URL?

You can populate an invisible HTML-form with the values, and submit that 
- of course you need javascript for this.

But this doesn't increase security a bit. Using an extension to FF such 
as HTTP live headers, it's easy enough to figure out what parameters are 
passed, and simply forge a request.


> b) without the user being able to fathom-out how to attach which id to
> which URL?

Paul already mentioned that - you can create a server-side, 
session-stored action-item that is identified by a hash of some sort. 
Then use that hash as parameter.

But I'd say you should instead make sure that your serve actions perform 
authorization checking before performing any operations. Then you don't 
need to worry - even guessing a hash argument won't work then.

>
> As each link contains row-id, I guess there is nothing to stop someone
> from getting the id from the page source-code. Is it safe to use the
> above href method if I test for authorised credentials (user/password
> stored as session variables, perhaps?) before performing the edit/delete
> action?

You should of course always do that. Every http-action except login 
should be guarded (unless you allow anonymous access of course).

Diez



More information about the Python-list mailing list