Posted by Koncept on 01/28/07 23:25

In article <LcWdnYHH0PY3hSDYRVnzvA@telenor.com>, Jeff
<it_consultant1@hotmail.com.NOSPAM> wrote:

> Hey
>
> I'm developing a web site using PHP 5.2.0
>
> Users of this web site can register and create their own profile. Each user
> can also register their diary entries.. Here is the problem:
> index.php?mode=diary&id=1, a user can hack this URL to get access to another
> users diary -> then the user could modify the diary of another user, which
> is something I want to avoid.
>
> To avoid this I always make these checks on every web page
> if (!empty($_GET["id"])) {
> if (is_numeric($_GET["id"])) {
> //Here again I make another check based on the id and the users id...,
> if the resultset has a row, then this diary is registered on this user...
>
> That's a lot of code, I feel the code get clumsy by all these if test etc,
> but they are needed...
>
> But isn't there a better way of doing this?
>
> I've read about storing the id in the session, because the user cannot
> modify whats in the session object... I've spent days (my free time)
> thinking of how to implement that. On the left side of the web page, there
> are a list of diarys the user has created, clicking on one of them open that
> specific diary. But I don't know how accomplish this by using sesssion.
> Because when the user clicks on the link, then the id must be stored on the
> session object... and then again open the correct diary... (maybe this could
> be done if the url was just a link to a function which put the id into the
> session object and then opens the correct diary, I don't know how to call a
> function from a link).... I cannot have the id in the link (GET) and in the
> first few lines of php code in the web page put the id into the session
> object... that is as bad as my original suggestion -> the user can modify
> the url...
>
> Any suggestions?
>
> Jeff
>
>

If you are storing the user id in a session, then you don't have to
pass it ($id) in the URL at all because the user id value will persist
in the session superglobal.

<?php
// page one

session_start();

// Assume user logs in. You got through whatever routines necessary
// to get the ID and assign this value to a session variable ..

$_SESSION['uid'] = $theUsersID;
?>

<?php
// page two

session_start();

echo $_SESSION['uid'];

?>

--
Koncept <<
"The snake that cannot shed its skin perishes. So do the spirits who are
prevented from changing their opinions; they cease to be a spirit." -Nietzsche

[Back to original message]