Page 1 of 1

Restricting available url parameters

PostPosted: Tue Apr 27, 2010 1:18 am
by tomhousley
Hello,

Say I have a table consisting of companies called tbl_companies:

Code: Select all
com_id
com_companyname
com_description
com_status

I can access these by the url parameters eg. example.com/index.php?-table=tbl_profiles&com_id=2

Is there a way to restrict people from using the other fields such as: example.com/index.php?-table=tbl_profiles&com_companyname=foo

I don't necessarily want to restrict them from viewing the company name, just want to restrict their ability to apply their own url parameters

Many thanks, Tom

Re: Restricting available url parameters

PostPosted: Wed Apr 28, 2010 1:03 am
by PolderBoy
Hello Tom,

Yes, you could use the function:

Code: Select all
init(&$table)
{
   if ( isset($_REQUEST['com_companyname']) and @$_REQUEST['-table'] == 'tbl_profiles' )
   {
   $_REQUEST['-table'] = $_GET['-table'] = 'tbl_profiles';
   }
}


You would place this function in 'tbl_profiles.php' and in the class 'tables_tbl_profiles'
This is not tested code, so there could be some errors in it.
But you get the drift. I hope.

PolderBoy

Re: Restricting available url parameters

PostPosted: Tue May 04, 2010 8:58 am
by shannah
I think PolderBoy is on the right track. If you place this code in the init() method it will be called once when that particular table is loaded. However this is a bit touchy because some users (like the admin) you still want to be able to use these parameters.

Why do you want to restrict users from searching on these parameters? There may be a better approach to achieve your security goals, but I'd need to know more about the goal in order to comment.

-Steve