|
|
Posted by Gordon Burditt on 09/02/05 03:32
>So the master /detail link looks like this (127 as working locally)
>
>http://127.0.0.1/edityourlisting.php?theid=20
>
>Imagine listing 20 belongs to user Tom - he clicks that link aboe in his
>list of properties and up comes property 20 and he can change what he wants.
>
>However, I have now discovered that if Dick owns a property with the id
>of say 44, all Tom has to do is edit the url and change the 20 to 44 and
>hey preston, even though Tom has not listed property 44 which belongs to
> Dick he can edit Dicks property...hope you're following me.
If you don't check whether the user has the authority to edit
whatever record he's trying to edit *AT THE TIME THE CHANGE IS
SUBMITTED*, you're in deep doo-doo. This could be as simple as
adding a clause to the query:
UPDATE foo ... WHERE id = '$id' and owner = '$username'
^^^^^^^^^^^^^^^^^^^^^^^
where $id is a sanitized version from the URL (e.g. $id =
addslashes($_GET['id'] ) and $username is what the user logged in
as, say, from $_SESSION. This affects no records not belonging to
the person logged in but does not provide an error message if they
try something nasty (and fail) unless you look at the number of
affected rows. Now, maybe your schema is much more complicated and
the owner isn't in the same table as the one the updates are for.
You still have some way to determine who's allowed to edit a record,
right?
There are other things you have to watch out for. Just because the
user had the authority to edit something when he brought the page
up DOESN'T mean he has the authority to edit it later (e.g. after
his account is cancelled for abuse). Generally, you shouldn't allow
editing deleted records (which might not have been deleted at the
time he started typing in edits), at least not without the user clearly
knowing that's what he's doing. Owners might change while someone
is logged in (even if it's only the admin fixing something manually).
And if his subscription has expired, you probably don't want to let
him edit records.
>I am half way there - I can make sure that when Tom is logged in he can
>only see a list of his software but I need to make if fool proof so that
>if Tom decides to be smart and chages a url then the webpage will come
>back and say 'Sorry Tom this is not your listing to edit' or something
>to that effect etc.
Your database schema presumably has some way to associate a listing
with the login of the owner. You didn't tell us what that is.
Check that it matches before actually doing the update in the
database.
>Can anyone point me in the direction of example php code for a master -
>detail setup that will also ensure that the ?theid=20 bit at the end of
>the link is only showable if it belongs to the person logged in?
Gordon L. Burditt
Navigation:
[Reply to this message]
|