|
Posted by Rik on 01/28/07 23:44
Jeff <it_consultant1@hotmail.com.NOSPAM> wrote:
>>> Here is the problem:
>>> index.php?mode=3Ddiary&id=3D1, a user can hack this URL to get acces=
s to
>>> another
>>> users diary -> then the user could modify the diary of another user,=
>>> which
>>> is something I want to avoid.
>>>
>>> To avoid this I always make these checks on every web page
>>> if (!empty($_GET["id"])) {
>>> if (is_numeric($_GET["id"])) {
>>> //Here again I make another check based on the id and the users=
>>> id...,
>>> if the resultset has a row, then this diary is registered on this =
>>> user...
>>>
>>> That's a lot of code, I feel the code get clumsy by all these if tes=
t
>>> etc,
>>> but they are needed...
>>>
>>> But isn't there a better way of doing this?
>> If you are storing the user id in a session, then you don't have to
>> pass it ($id) in the URL at all because the user id value will persis=
t
>> in the session superglobal.
> Thanks, but I'm already storing the user id in the session object. It'=
s =
> the
> diary id which are causing the problem. I have the diary id in the URL=
..
Well, like you said, you'll have to check wether that user(-id) is allow=
ed =
to see/alter that diary(-id). That shouldn't be a lot of code though.
-- =
Rik Wasmus
[Back to original message]
|