On Mon, Aug 11, 2014 at 4:02 PM, dealTek <dealtek@xxxxxxxxx> wrote:
> Hi all,
>
> Assuming the following:
>
>
> - in your database you are using serial numeric ID's
> - with php you do a search query to get a number of items - then you
> display the results in a loop on a web page list view.
> - then on each row you have an edit button for that item. Here, the link
> is something like: editpage.php?id=<?php echo $record->getField('item_id');
> ?>
> - now when you click to the edit page - it will do another query to get
> all the item details and display an edit form - etc.
>
>
> Problem: In this case - anyone can simply change the url id=xxx to any
> other number and it will make the page search for another item record.
>
>
> Q: HOW can we lock this down so as to prevent the above scenario and it is
> a more secure system?
>
> BTW: One method that we can use is to have a second field such as a random
> number field in the table data - then search for both - which people will
> have a hard time guessing like this link: editpage.php?id=<?php echo
> $record->getField('item_id'); ?>&random=<?php echo
> $record->getField('randomnum); ?>
>
> ANY BETTER SUGGESTIONS to lock things down?
>
>
> --
> Thanks,
> Dave - DealTek
> dealtek@xxxxxxxxx
> [db-14]
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Are those Id's owned (each user has a set of Ids) or accessible by all?
