Hi all,
Assuming the following:
- in your database you are using serial numeric ID's
- with php you do a search query to get a number of items - then you display the results in a loop on a web page list view.
- then on each row you have an edit button for that item. Here, the link is something like: editpage.php?id=<?php echo $record->getField('item_id'); ?>
- now when you click to the edit page - it will do another query to get all the item details and display an edit form - etc.
Problem: In this case - anyone can simply change the url id=xxx to any other number and it will make the page search for another item record.
Q: HOW can we lock this down so as to prevent the above scenario and it is a more secure system?
BTW: One method that we can use is to have a second field such as a random number field in the table data - then search for both - which people will have a hard time guessing like this link: editpage.php?id=<?php echo $record->getField('item_id'); ?>&random=<?php echo $record->getField('randomnum); ?>
ANY BETTER SUGGESTIONS to lock things down?
--
Thanks,
Dave - DealTek
dealtek@xxxxxxxxx
[db-14]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
