ccrevcypsys Posted April 8, 2008 Share Posted April 8, 2008 So i have a site that allows employers to look at resumes and for people to submit applications (so it contains A LOT of private data) and there is a security issue. Now what happens is that if you go look at the resumes/application you can change the header id ( in address bar change a 90 to 92 and you can see the persons app with the 92. So therefore just by logging in you can look at anyones personal information how can this be fixed? I am having a really hard time. Should i use gets and sessions or what? Link to comment https://forums.phpfreaks.com/topic/100154-security-problem/ Share on other sites More sharing options...
discomatt Posted April 8, 2008 Share Posted April 8, 2008 Validate the data and make sure only x user has permission to view y ids. If an out-of-range id is entered, report it. I'd like to get into more detail, but I don't know how your employer login system works. Link to comment https://forums.phpfreaks.com/topic/100154-security-problem/#findComment-512077 Share on other sites More sharing options...
haku Posted April 8, 2008 Share Posted April 8, 2008 You are using $_GET right now, that is your problem. A session variable will be better. Link to comment https://forums.phpfreaks.com/topic/100154-security-problem/#findComment-512155 Share on other sites More sharing options...
ccrevcypsys Posted April 8, 2008 Author Share Posted April 8, 2008 what would be the best way to use a db and record the sess data then match it with that of the clients row in the client table? Link to comment https://forums.phpfreaks.com/topic/100154-security-problem/#findComment-512166 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.