Restricting available url parameters
Archived from the Xataface Users forum.
tomhousley — Tue Apr 27, 2010 1:18 am
Hello,
Say I have a table consisting of companies called tbl_companies:
- Code: Select all
com_id com_companyname com_description com_status
I can access these by the url parameters eg. example.com/index.php?-table=tbl_profiles&com_id=2
Is there a way to restrict people from using the other fields such as: example.com/index.php?-table=tbl_profiles&com_companyname=foo
I don’t necessarily want to restrict them from viewing the company name, just want to restrict their ability to apply their own url parameters
Many thanks, Tom
PolderBoy — Wed Apr 28, 2010 1:03 am
Hello Tom,
Yes, you could use the function:
- Code: Select all
init(&$table) { if ( isset($_REQUEST['com_companyname']) and @$_REQUEST['-table'] == 'tbl_profiles' ) { $_REQUEST['-table'] = $_GET['-table'] = 'tbl_profiles'; } }
You would place this function in ‘tbl_profiles.php’ and in the class ‘tables_tbl_profiles’
This is not tested code, so there could be some errors in it.
But you get the drift. I hope.
PolderBoy
shannah — Tue May 04, 2010 8:58 am
I think PolderBoy is on the right track. If you place this code in the init() method it will be called once when that particular table is loaded. However this is a bit touchy because some users (like the admin) you still want to be able to use these parameters.
Why do you want to restrict users from searching on these parameters? There may be a better approach to achieve your security goals, but I’d need to know more about the goal in order to comment.
-Steve