0

I'm trying to figure out how can I prevent give access to other people's information.

I mean that I have a form, which can be editable.

When person clicks on Edit button, he instantly redirects to the next page: 

bla-bla-bla/edit.php&id=1337

The problem is that I can just go in the address bar and put &id=1337 to &id=143 or &id=1943 and still access the someone elses data.

This is the original code which is displaying and editing:

Sorry for my English and thank you in advance.

user3655466
  • 39
  • 1
  • 9
  • you can use allow editing values for the same id of the user.store it in session.dont pass it through via url. – Sougata Bose Jul 28 '14 at 08:32
  • `IF(SESSION.UID == GET.ID) { ALLOW EDITING } ELSE { NOT ACTUAL USER, DENY THEM }` (*pseudo code*) – Darren Jul 28 '14 at 08:33
  • Just another note: `elsif` must be before `else` and requires a condition. Also you are vulnerable to [SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – enricog Jul 28 '14 at 08:41

2 Answers2

0

Maybe you should put the session var outside the string; e.g:

Change:

$order = "SELECT * FROM table_name WHERE id = '$id' && owner = '$_SESSION['user']['username']' "

for:

$order = "SELECT * FROM table_name WHERE id = '$id' AND owner = '".$_SESSION['user']['username']."' "
lpg
  • 4,897
  • 1
  • 16
  • 16
  • Thanks, but now I have an err on line when the 2nd elseif starts `Parse error: syntax error, unexpected T_ELSE in /bla-bla-bla/ on line 61` – user3655466 Jul 28 '14 at 08:38
  • Replace "} elseif {" for "} if($row['id']) {" ? Or something that is meaningful for your logic. – lpg Jul 28 '14 at 08:45
  • That didn't worked for me. It started to displaying even a fatal err lol. – user3655466 Jul 28 '14 at 08:53
0

If you're trying to just make the page editable for the current user, you could even just do away with the entire ID in the URL.

Change your page so that it checks if you are logged in (by using your $_SESSION variable). If logged in, retrieve and later save the data based on a combination of the $_SESSION['UserID'] and other $_SESSION variables to make sure the person is who they claim they are.

You won't need to add the ?id=123 in the URL at all this way.

Bjorn 'Bjeaurn' S
  • 3,861
  • 2
  • 18
  • 29