[nycphp-talk] Query result state strategy
shiflett at php.net
Fri Feb 17 09:21:57 EST 2006
> I've become a believer.
> I disable buttons that are not allowed, so only valid actions can
> be submitted, but it would be trivial to submit a button that has
> been disabled.
> When I receive a button submission for a particular row, I query
> the row from the db, and check to see if this action is allowed
> based upon the status fields.
Stated differently, you're trying to be sure that the status fields you
included in the form haven't been tampered with, right?
Carlos's suggestion is good for helping to verify integrity. It would
also be pretty easy to modify your approach to do this instead of query
the database. I have no idea what your SQL query looks like (which is a
good thing), but it's a good candidate for hashing, because it
presumably contains all of the data you're checking, you already take
the time to construct the string, and it's something you can reliably
Hope that helps.
Brain Bulb, The PHP Consultancy
More information about the talk