Posted by Jeff on 01/28/07 23:37

"Koncept" <user@unknown.invalid> wrote in message
news:280120071825523884%user@unknown.invalid...
> In article <LcWdnYHH0PY3hSDYRVnzvA@telenor.com>, Jeff
> <it_consultant1@hotmail.com.NOSPAM> wrote:
>
>> Hey
>>
>> I'm developing a web site using PHP 5.2.0
>>
>> Users of this web site can register and create their own profile. Each
>> user
>> can also register their diary entries.. Here is the problem:
>> index.php?mode=diary&id=1, a user can hack this URL to get access to
>> another
>> users diary -> then the user could modify the diary of another user,
>> which
>> is something I want to avoid.
>>
>> To avoid this I always make these checks on every web page
>> if (!empty($_GET["id"])) {
>> if (is_numeric($_GET["id"])) {
>> //Here again I make another check based on the id and the users
>> id...,
>> if the resultset has a row, then this diary is registered on this user...
>>
>> That's a lot of code, I feel the code get clumsy by all these if test
>> etc,
>> but they are needed...
>>
>> But isn't there a better way of doing this?
>>
>> I've read about storing the id in the session, because the user cannot
>> modify whats in the session object... I've spent days (my free time)
>> thinking of how to implement that. On the left side of the web page,
>> there
>> are a list of diarys the user has created, clicking on one of them open
>> that
>> specific diary. But I don't know how accomplish this by using sesssion.
>> Because when the user clicks on the link, then the id must be stored on
>> the
>> session object... and then again open the correct diary... (maybe this
>> could
>> be done if the url was just a link to a function which put the id into
>> the
>> session object and then opens the correct diary, I don't know how to call
>> a
>> function from a link).... I cannot have the id in the link (GET) and in
>> the
>> first few lines of php code in the web page put the id into the session
>> object... that is as bad as my original suggestion -> the user can modify
>> the url...
>>
>> Any suggestions?
>>
>> Jeff
>>
>>
>
> If you are storing the user id in a session, then you don't have to
> pass it ($id) in the URL at all because the user id value will persist
> in the session superglobal.
>
> <?php
> // page one
>
> session_start();
>
> // Assume user logs in. You got through whatever routines necessary
> // to get the ID and assign this value to a session variable ..
>
> $_SESSION['uid'] = $theUsersID;
> ?>
>
> <?php
> // page two
>
> session_start();
>
> echo $_SESSION['uid'];
>
> ?>
>
> --
> Koncept <<
> "The snake that cannot shed its skin perishes. So do the spirits who are
> prevented from changing their opinions; they cease to be a
> pirit." -Nietzsche


Thanks, but I'm already storing the user id in the session object. It's the
diary id which are causing the problem. I have the diary id in the URL.

any suggestions?.

Jeff

[Back to original message]