Can I change a URL? 
Author Message
 Can I change a URL?

I have a standard HTML table:

John Jones  EDIT
Mary Smith   EDIT

The "EDIT" is a standard HTML link..... href "PHP_SELF?id=765 (whatever cust
num is.)

When user clickes "EDIT" I pop up a form with all the customer details.

I'd like to keep the "id=765" off of the browser address bar when the form
comes up. I could go to a different page, but I'd rather not. Is there a way
to "hide" or "change" the URL and strip off the "?id=xxx" part? Maybe using
the header() function?

I've looked and can't find a way to do this.

Thanks,
Al



Mon, 01 Aug 2005 01:37:58 GMT  
 Can I change a URL?

Quote:
> I'd like to keep the "id=765" off of the browser address bar when the form
> comes up. I could go to a different page, but I'd rather not. Is there a way
> to "hide" or "change" the URL and strip off the "?id=xxx" part? Maybe using
> the header() function?
> I've looked and can't find a way to do this.

Using POST-variables is not possible?

--

cold silence has a tendency to atrophy any sense of compassion  -- tool



Mon, 01 Aug 2005 01:40:46 GMT  
 Can I change a URL?
Using Apache ? Maybe you can use mod_rewrite:
put something like this in your .htaccess

Rewri{*filter*}gine On
RewriteRule ^formpopup(.*)\.html$ formpopup.php?id=$1
and then just change your link to <a href="formpopup765.html">,
and the server will go to formpopup.php?id=765, completely transparently
for the user.

more info:
http://www.*-*-*.com/

good luck! :)

--
                                 Jonathan Foucher




Mon, 01 Aug 2005 03:01:24 GMT  
 Can I change a URL?


Quote:
> I have a standard HTML table:

> John Jones  EDIT
> Mary Smith   EDIT

> The "EDIT" is a standard HTML link..... href "PHP_SELF?id=765 (whatever cust
> num is.)

> When user clickes "EDIT" I pop up a form with all the customer details.

> I'd like to keep the "id=765" off of the browser address bar when the form
> comes up. I could go to a different page, but I'd rather not. Is there a way
> to "hide" or "change" the URL and strip off the "?id=xxx" part? Maybe using
> the header() function?

> I've looked and can't find a way to do this.

One solution would be to POST the values, but then you need to use javascript:

    <? foreach($customers as $id){ ?>
        <a href="javascript:document.form.id.value=<?=$id?>;document.form.submit()">edit</a><br>
    <? } ?>

    <form name='form' action='<?=$PHP_SELF?>' method='post'>
        <input type='hidden' name='id' value=''>
    </form>

As you see, the form contains only a hidden input, that we change when we click
and then submit the form.

--
Sandman[.net]



Mon, 01 Aug 2005 02:33:04 GMT  
 Can I change a URL?


Quote:
> I'd like to keep the "id=765" off of the browser address bar when the form
> comes up. I could go to a different page, but I'd rather not. Is there a
way
> to "hide" or "change" the URL and strip off the "?id=xxx" part? Maybe
using
> the header() function?

you can hide it by POSTing to the editor page, by javascript you can
dissable the whole address bar, or you can use mod-rewrite to transform the
url. But none of those would improve your security, since the original item
url could be retrieved from the orignating page, or it could be figured-out
of the rewritten url.

You can use a sort of one-time pad stored in the session, i.e. while
generating list page you create a random one-time pad like this:

array(
 'dsf.sd..df' => 765,
 'XCD123' => 766,
..
);

and make links in the list page in the following form:

edit_item.php?otp=dsf.sd..df
edit_item.php?otp=XCD123

and store the one-time pad array into the session.

Then on the edit page, you would retrieve the one-time pad from the session,
otp from the url, and find your id from the otp-id mapping in the array.

But I see this only marginally more secure than solution you have discussed
in previous thread.

rush
--
http://www.templatetamer.com/



Mon, 01 Aug 2005 02:32:12 GMT  
 Can I change a URL?


Quote:
> I have a standard HTML table:

> John Jones  EDIT
> Mary Smith   EDIT

> The "EDIT" is a standard HTML link..... href "PHP_SELF?id=765 (whatever
cust
> num is.)

> When user clickes "EDIT" I pop up a form with all the customer details.

> I'd like to keep the "id=765" off of the browser address bar when the form
> comes up. I could go to a different page, but I'd rather not. Is there a
way
> to "hide" or "change" the URL and strip off the "?id=xxx" part? Maybe using
> the header() function?

> I've looked and can't find a way to do this.

Not sure I understand the question. If you truly want to keep it from
displaying in the *address bar*, simply use POST instead of GET for your form
method.

If you meant how to keep it from displaying in *status bar*, you need a mix
of PHP and Javascript to accomplish. For example:

echo "<a href=\"$_SERVER['PHP_SELF']?id=765\"
onFocus='window.status=\"$_SERVER['PHP_SELF']\";return true'
onMouseOver='window.status=\"$_SERVER['PHP_SELF']\";return true'
onMouseOut='window.status=\"\";return true'>EDIT</a>";

The onMouseOver event will cover the instance when user hovers link with
mouse.
The onFocus event will cover the instance when user clicks on link (or if not
using a mouse for navigation).

HTH!



Mon, 01 Aug 2005 02:46:34 GMT  
 Can I change a URL?

Quote:



>> I have a standard HTML table:

>> John Jones  EDIT
>> Mary Smith   EDIT

>> The "EDIT" is a standard HTML link..... href "PHP_SELF?id=765 (whatever
> cust
>> num is.)

>> When user clickes "EDIT" I pop up a form with all the customer details.

>> I'd like to keep the "id=765" off of the browser address bar when the form
>> comes up. I could go to a different page, but I'd rather not. Is there a
> way
>> to "hide" or "change" the URL and strip off the "?id=xxx" part? Maybe using
>> the header() function?

>> I've looked and can't find a way to do this.

> Not sure I understand the question. If you truly want to keep it from
> displaying in the *address bar*, simply use POST instead of GET for your
> form method.

This is not a form. It's a plain old HTML table:

<tr>
<td>Mary Jones</td><td><href:"someplace.php&id=127"<Edit>
</tr>
<tr>
<td>Joe Jones</td><td><href:"someplace.php&id=156"<Edit>
</tr>

When user clicks "Edit" when the "somplace.php" page loads in the address bar
of the browser will be the URL with the ID. I want to somehow erase the
id=156 part of the URL.

Maybe I should put a form with a form button inside the cell and set the
value to the user ID and then set a session variable before I send the
page??? That might work better.... except form submit buttons are so ugly.

ANC



Tue, 02 Aug 2005 00:02:40 GMT  
 Can I change a URL?

Quote:
> Maybe I should put a form with a form button inside the cell and set the
> value to the user ID and then set a session variable before I send the
> page??? That might work better.... except form submit buttons are so ugly.

<input type="image" src="prettybutton.gif">


Tue, 02 Aug 2005 00:26:35 GMT  
 Can I change a URL?

Quote:
> When user clicks "Edit" when the "somplace.php" page loads in the address bar
> of the browser will be the URL with the ID. I want to somehow erase the
> id=156 part of the URL.

To hide your get params you can wrap the whole page in a frameset.

editor.html
        <html>
        <frameset>
                <frame src="editor.php">
        </frameset>
        </html>

You will only get http://www.wherever.com/editor.html in the address
bar, not editor.php?my=sensitive&data=here



Tue, 02 Aug 2005 00:29:55 GMT  
 Can I change a URL?

Quote:

> To hide your get params you can wrap the whole page in a frameset.

> editor.html
> <html>
> <frameset>
> <frame src="editor.php">
> </frameset>
> </html>

> You will only get http://www.wherever.com/editor.html in the address
> bar, not editor.php?my=sensitive&data=here

I don't think the "sensitive" belongs in there, sensitive data has *nothing*
to do in the URL. EOD.

Andr N?ss



Tue, 02 Aug 2005 00:38:56 GMT  
 Can I change a URL?

Quote:
> I don't think the "sensitive" belongs in there, sensitive data has *nothing*
> to do in the URL. EOD.

True. If it goes to the browser then there's a way to find it. The other
option of POSTing the data still leaves it visible through 'view source'.

The only way to truly hide things like that is to keep them in sessions.
If you want to pass an id back like this then you have to collate a
table of ids and allocate a temporary random key to refer to it by.

Sometimes though you just want these things not to be too obvious. If
the end user has access to edit a customer record then it shouldn't
matter that they know the customer number.



Tue, 02 Aug 2005 01:13:35 GMT  
 Can I change a URL?


Quote:

> > Not sure I understand the question. If you truly want to keep it from
> > displaying in the *address bar*, simply use POST instead of GET for your
> > form method.

> This is not a form. It's a plain old HTML table:

OK, but you previously said:
Quote:
> >> When user clickes "EDIT" I pop up a form with all the customer details.

I understand what you mean now, but it *was* a bit misleading.

Quote:
> <tr>
> <td>Mary Jones</td><td><href:"someplace.php&id=127"<Edit>
> </tr>
> <tr>
> <td>Joe Jones</td><td><href:"someplace.php&id=156"<Edit>
> </tr>

> When user clicks "Edit" when the "somplace.php" page loads in the address
bar
> of the browser will be the URL with the ID. I want to somehow erase the
> id=156 part of the URL.

I don't believe it is possible to do what you want in PHP. If you are running
Apache, look into mod_rewrite:
http://httpd.apache.org/docs/mod/mod_rewrite.html
http://www.bignosebird.com/apache/a9.shtml

Quote:
> Maybe I should put a form with a form button inside the cell and set the
> value to the user ID and then set a session variable before I send the
> page??? That might work better.... except form submit buttons are so ugly.

I'm still not clear why obscuring this information from the address bar is so
important, since the user can still obtain the data via other methods (e.g.,
cache, browser history, status bar, source code). If you are going to revert
to the form method, then just POST the information as a hidden value, like
so:
<input type="hidden" name="ID" value="156">
Why make it more complex than it needs to be? The data will never appear in
the URL string, so you don't have to worry about masking it from the address
bar (though it will still be visible to anyone looking at your source, prior
to clicking the submit button).

As for "ugly" submit buttons, style them with CSS:
<input type="submit" value="Submit!" style="background: black; color: white;
font-size: 0.9em">
-or-
Here's a more elaborate one, using an image:
<input type="submit" value="Submit!" style="background-image: url('bg.jpg');
background-repeat: repeat; font-family: Arial, Helvetica, sans-serif;
font-style: italic; font-weight: bold">



Tue, 02 Aug 2005 01:18:15 GMT  
 
 [ 12 post ] 

 Relevant Pages 

1. Serial comm lib v.1.1 change URL !

2. URL Change

3. Change or URL and email

4. Mass change of all Warp 3 URL's to Warp 4 URLs

5. need help changing a url

6. Proximity Sensing and URL change

7. VRML URL changed

8. ANNOUNCE: VRML4Linux URL Change--

9. changing text when mouse is on url link

10. how to change the "url"-exposedField ?

11. Ada bindings URL change

12. MenuetOS tiny GUI OS, change of URL

 

 
Powered by phpBB® Forum Software