Posted by Jeff on 01/28/07 21:42

Hey

I'm developing a web site using PHP 5.2.0

Users of this web site can register and create their own profile. Each user
can also register their diary entries.. Here is the problem:
index.php?mode=diary&id=1, a user can hack this URL to get access to another
users diary -> then the user could modify the diary of another user, which
is something I want to avoid.

To avoid this I always make these checks on every web page
if (!empty($_GET["id"])) {
if (is_numeric($_GET["id"])) {
//Here again I make another check based on the id and the users id...,
if the resultset has a row, then this diary is registered on this user...

That's a lot of code, I feel the code get clumsy by all these if test etc,
but they are needed...

But isn't there a better way of doing this?

I've read about storing the id in the session, because the user cannot
modify whats in the session object... I've spent days (my free time)
thinking of how to implement that. On the left side of the web page, there
are a list of diarys the user has created, clicking on one of them open that
specific diary. But I don't know how accomplish this by using sesssion.
Because when the user clicks on the link, then the id must be stored on the
session object... and then again open the correct diary... (maybe this could
be done if the url was just a link to a function which put the id into the
session object and then opens the correct diary, I don't know how to call a
function from a link).... I cannot have the id in the link (GET) and in the
first few lines of php code in the web page put the id into the session
object... that is as bad as my original suggestion -> the user can modify
the url...

Any suggestions?

Jeff

[Back to original message]