|
Posted by Don Freeman on 01/29/07 18:35
"Jeff" <it_consultant1@hotmail.com.NOSPAM> wrote in message
news:LcWdnYHH0PY3hSDYRVnzvA@telenor.com...
> Hey
>
> I'm developing a web site using PHP 5.2.0
>
> Users of this web site can register and create their own profile. Each
> user can also register their diary entries.. Here is the problem:
> index.php?mode=diary&id=1, a user can hack this URL to get access to
> another users diary -> then the user could modify the diary of another
> user, which is something I want to avoid.
>
> To avoid this I always make these checks on every web page
> if (!empty($_GET["id"])) {
> if (is_numeric($_GET["id"])) {
> //Here again I make another check based on the id and the users id...,
> if the resultset has a row, then this diary is registered on this user...
>
Have you tried using POST instead of GET? That way you don't put the passed
variables in the URL.
--
-Don
Ever had one of those days where you just felt like:
http://cosmoslair.com/BadDay.html ?
(Eating the elephant outside the box, one paradigm at a time)
[Back to original message]
|