6 replies to this topic

[shibbythestoner]

Hi, I could use some advice if anyone's up to it:

Let's say I'm making a game where certain things - for instance, items - have IDs in their records.
Something like this:

CREATE TABLE items(
id INT NOT NULL AUTO_INCREMENT,
name TINYTEXT NOT NULL,
...properties, etc...
PRIMARY KEY(id)
)

Now if I were to make a form where you can, for example "pick up" an item:

<form action='pickup.php' method='post'>
<font color='green'>You have found this item:<br>[itemname]<br></font>
<input type='hidden' name='itemID' value='[item ID from database]'>
<input type='submit' value='Pick it up!'>
</form>

and now in the PHP file it gives the item to the user's own record in another table.
However, this is obviously far too insecure. Anyone could save and edit the form and hax my database by changing the ID in the hidden itemID field.

If anyone could help me work out a practical solution I would be very greatful.

[ETbyrne]

You could use cookies to store an encripted itemID.

[shibbythestoner]

There's an idea! Thanks very much.

[palh0ta]

i dislike at all the use of cookies.

can you explain why you need to store the values in a hidden field or in a cookie ?

Whats the big goal ?

[John]

I do not fully understand what you are trying to accomplish, but generally I tend to use session variables in place of cookies / hidden form fields.

[shibbythestoner]

Sorry for not replying, I only just got the e-mail.
I thought the session variable used cookies if possible? That's what I gathered anyway, so perhaps I've read wrongly.

[John]

Sessions can be thought of as server-sided cookies. Realistically cookie creates a file on the users computer, sessions allow you to store information on the server.