Turned out "hiding" the id wasn't necessary as the awaiting update page can grab the session ID. I wasn't thinking. Sorry Stuart --- John Holmes <holmes072000@xxxxxxxxxxx> wrote: > Stuart Felenstein wrote: > > I'm still confused over one aspect of URL > parameters. > > As far as a form passing data back to the server, > I > > understand about get, post and replace. > > > > Here is my problem. > > I have an update form. User is logged in to the > > system and needs to update whatever information. > > Right now I'm including in the link the user's ID, > so > > when they arrive at the update page, their record > will > > be displayed. > > The problem is all one has to do is change the ID > > number in the URL parameter in the update page and > you > > can go to someone else's record. > > > > How do programmers generally get around this ? I > must > > be missing something. > > How do you identify the user once they are logged > in? There should be > some way to relate the logged in user to valid > records they can see. > Then, if they request an invalid record, you can > show them an error > page. Hiding the ID isn't going to fix anything. > > -- > > ---John Holmes... > > Amazon Wishlist: > www.amazon.com/o/registry/3BEXC84AB3A5E/ > > php|architect: The Magazine for PHP Professionals ? > www.phparch.com > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php