Zend Framework - Secure way to pass parameter from view to controller

Question

I used Zend Framework for near 3 month and I'm searching for a method to pass parameters from the view to the controller in a secure way. I prefer to pass the parameters like $_POST method, but I don't want to use forms. Is there any method to use in ZF? I only know the url() method but I don't know if this method is works well to passing important data to the controller.

Answer 1

HTTP is a stateless protocol and you can basically choose from four solutions to preserve information between requests (as this is, I think, what you are trying to do, isn't it):

• Query string
• Hidden elements in forms
• Cookie
• Session

Session would be the safest. In ZF you have Zend_Session component to help you with session managment.

As far as sending POSTs without form it is rather difficult. Have a look at: Zend Framework: How to POST data to some external page (eg external payment gate) without using form? . However, if you only want to sent POST data than you could do it in PHP using cURL .

Answer 2

I think you might be looking for Session variables.

You want to send something that can't be seen from URL into the next request, right? Session is ideal for that.

Update:

I read your question as: "There is this variable in page, that somehow changes. I want the user to send it to the server, but it should not appear in the URL. But without using forms."

There is no way to initiate POST request (like let the user post a password or sth like that) from browser without forms or javascript axaj call. To send some data via POST you can use Zend_Http_Client(), but that's done server-side and you still need to make a GET request first.

May I ask you how would you implement it using GET? That would help us to understand what exactly you'd like to do.

And the last idea:

I'm searching for a method to pass parameters from the view to the controller in a secure way

JUST BEACUSE IT'S NOT IN URL IT'S NOT SECURE! :)

Answer 3

I think what you can use is a digest key

The method has nothing to do with security GET, POST, Cookies or Session a person on the client side can manipulate the params.

Example:

mywebsite.com/widget.php?id=1234&action=delete

A person can change the GET param id and delete whatever they want. Obviously, your controller should implement Auth and perhaps an ACL, for authentication and authorisation, but this still wont prevent URL tampering. For example, what's the stop Bob logging in and altering a URL to edit John's widget.

you generate a digest key by concating the params into a string:

1234+password = "1234password" then generate the MD5 of the result = d5b1ee4b463dc7db3b0eaaa0ea2cb5b4

pass this along the url.

mywebsite.com/widget.php?id=1234&action=delete&mac=d5b1ee4b463dc7db3b0eaaa0ea2cb5b4

inside widget.php you can use the same formula to calculate the digest key and check to see if it matches. If they attempt to change the id to say 4567 the MD5 result would be 09fef3620249f28ae64adc23bded949 , so you can deny the request.

If you have more than 1 param on your URI, string them together, add the password and generate an MD5 or SHA1.