I'm restarting this post. I thought I was out of the woods, but not. Here situation, in most of my update forms which involve 1 record, passing a session variable , usually the users ID is enough. No URL param passing. Not so in two update forms I have where there are multiple records for each user. If I pass a session variable it only brings up the first record. So unless I am missing something, I must pass the record ID via a URL parameter. That works just great, but the problems lies in the fact, that all anyone would need to do is change recordID=1 to recordID=2 and they can see someone elses record, which is supposed to confidential. Now I've looked at sights like Monster, Amazon, Ebay, and tried changing the recordID in the URL area, but it either ignores my change or kicked back an invalid ID. This is even if I remove the other ID's from the line. So, I'm sure this has been dealt with more, I don't have the foggiest clue yet though how I can implement something that either hides, or prevents a user from going through records in the database by changing the id number. Appreciate any suggestions or ideas. Thank you, Stuart --- Stuart Felenstein <stuart4m@xxxxxxxxx> wrote: > Turned out "hiding" the id wasn't necessary as the > awaiting update page can grab the session ID. > I wasn't thinking. Sorry > Stuart > --- John Holmes <holmes072000@xxxxxxxxxxx> wrote: > > > Stuart Felenstein wrote: > > > I'm still confused over one aspect of URL > > parameters. > > > As far as a form passing data back to the > server, > > I > > > understand about get, post and replace. > > > > > > Here is my problem. > > > I have an update form. User is logged in to the > > > system and needs to update whatever information. > > > Right now I'm including in the link the user's > ID, > > so > > > when they arrive at the update page, their > record > > will > > > be displayed. > > > The problem is all one has to do is change the > ID > > > number in the URL parameter in the update page > and > > you > > > can go to someone else's record. > > > > > > How do programmers generally get around this ? I > > must > > > be missing something. > > > > How do you identify the user once they are logged > > in? There should be > > some way to relate the logged in user to valid > > records they can see. > > Then, if they request an invalid record, you can > > show them an error > > page. Hiding the ID isn't going to fix anything. > > > > -- > > > > ---John Holmes... > > > > Amazon Wishlist: > > www.amazon.com/o/registry/3BEXC84AB3A5E/ > > > > php|architect: The Magazine for PHP Professionals > ? > > www.phparch.com > > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
