Hide URL parameters

(9 posts) (2 voices)
  • Started by ken@pesttrend.com
  • Latest reply from ken@pesttrend.com
  1. ken@pesttrend.com, Member

    I am generating a drill through report. The drill through report is presented on a new page.

    Here is my code

    select 'dbr.url', 'http://localhost/pesttrend/PDF_report.php?reportname=mydbr_station_type_chart&reporttype=onscreen&selectedcompanyid=[Companyid]', '[Companyname]', 'new_window', 'http_method=post';

    I don't want to show the parameters such as "selectedcompanyid" in the url and thought I would use 'http_method=post' but parameters are still showing in the URL.

    Can you please show me an example of how I hide the parameters in the URL.

  2. myDBR Team, Key Master

    The file "PDF_report.php" is your own application's code?

    First of all, is it able to handle parameters via POST?

    The 'http_method=post' is meant for myDBR reports which need to send large amount of data (greater than what browser's allow in GET), not really meant to post forms to external code.

    If your application allows use of POST, you can do that with JavaScript, but if you are just trying to hide things from URL for security, note that the POST does not really change things.
    myDBR Team

  3. ken@pesttrend.com, Member

    Thanks for the reply. Yes the file PDF_report.php is my application file and yes it can handle parameters via POST (this is how it is done in the old system I am looking to replace with myDBR).

    Looks like Javascript is the way to do this. Can you point me in the direction of an example using Javascript passing parameters via POST ?

  4. myDBR Team, Key Master

    You could so something like:

    select 'dbr.colclass', 'Companyname', 'name';
    select 'dbr.colclass', 'Companyid', 'id';
    select 'dbr.colstyle', 'Companyname', '[cursor:pointer]'; select 1 as Companyid, 'Company 1' as Companyname
    select 2, 'Company 2'; select 'dbr.javascript', '
    $(document).on("click", ".name", function() {
    $.post( "http://localhost/pesttrend/PDF_report.php",
    reportname: "mydbr_station_type_chart",
    reporttype: "onscreen",
    selectedcompanyid: $(this).closest("tr").find(".id").text()
    function(data) {
    var w = window.open("about:blank");
    if (w == null) {
    alert("Window opening blocked by browser");
    } else {
    }).fail(function() {
    alert( "Cannot access the page" );
    }); })
    ', 'onload';

  5. ken@pesttrend.com, Member

    Thank you very much for that, I really appreciate the example. I will give that a go.

  6. myDBR Team, Key Master

    Note that you should use POST only when you intend to change things. It is not a "security replacement" of a GET.

    myDBR Team

  7. ken@pesttrend.com, Member

    I would use GET but the problem I see is that having the parameter in the URL it is a an easy step to change the number and view someone elses data. i.e if the selectedcompanyid is 45 and it clearly says that in the url you just have to change 45 to 46 and reload the page and now you see the data for company 46.

    By channeling the parameters via POST at least they were not visible.

    If there is a more secure approach then I'm open to suggestions.

  8. myDBR Team, Key Master

    Using POST for "security" is not something you should do. Using POST does not make the request any safer (one can also change the POST parameters) and the POST is not replacement for GET. POST is intended for changing things.

    To secure the URL from user changes, you can calculate a hash value from the parameters you wish to protect. Take a look how myDBR does the same thing.

    myDBR Team

  9. ken@pesttrend.com, Member

    Perfect. That's what I was missing. Thanks for all your help. So far I'm very impressed with the product and the supporting forum. Keep up the good work.


You must log in to post.