ccrevcypsys Posted April 8, 2008 Share Posted April 8, 2008 So i have a site that allows employers to look at resumes and for people to submit applications (so it contains A LOT of private data) and there is a security issue. Now what happens is that if you go look at the resumes/application you can change the header id ( in address bar change a 90 to 92 and you can see the persons app with the 92. So therefore just by logging in you can look at anyones personal information how can this be fixed? I am having a really hard time. Should i use gets and sessions or what? Quote Link to comment Share on other sites More sharing options...
discomatt Posted April 8, 2008 Share Posted April 8, 2008 Validate the data and make sure only x user has permission to view y ids. If an out-of-range id is entered, report it. I'd like to get into more detail, but I don't know how your employer login system works. Quote Link to comment Share on other sites More sharing options...
haku Posted April 8, 2008 Share Posted April 8, 2008 You are using $_GET right now, that is your problem. A session variable will be better. Quote Link to comment Share on other sites More sharing options...
ccrevcypsys Posted April 8, 2008 Author Share Posted April 8, 2008 what would be the best way to use a db and record the sess data then match it with that of the clients row in the client table? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.