CloudSex13 Posted April 9, 2009 Share Posted April 9, 2009 Hi, thanks for reading. I was inquiring what the best practice would be for the following scenario: - I have a website with many different users, and each user has an account. - Each user has the ability to create and edit their own notes. - I don't want other users to be able to edit other's notes, but they can by simply changing the URL. - The only current GET variables processed in the URL are ?noteid=1&what=edit What would be the best method or practice (that's mostly simple if at all) where I can prevent unauthorized users from editing other people's notes? All the best - Quote Link to comment Share on other sites More sharing options...
gffg4574fghsDSGDGKJYM Posted April 9, 2009 Share Posted April 9, 2009 Make the page in POST instead of GET. Remove this url/folder from crawler in robots.txt Test if the currently logged user is the creator/owner of the note, if not redirect him to a profil or logout page or show a message that he can't read/modify this note because he isn't the owner. Each page (and not only this one) you should always look first if the user has the right to do what he can do on the page. Hope it answer your question. Quote Link to comment Share on other sites More sharing options...
CloudSex13 Posted April 9, 2009 Author Share Posted April 9, 2009 I gotcha. I mean, accounts are authenticated correctly and query results are generated according to accountid is equal to the username stored in the cookie. I was wondering if I should use a hidden input method, or a random generated md5 string as a variable, and if that variable isn't equivalent to the one stored in the user's account database at login, then he/she won't be able to edit? Any further suggestions? EDIT: It would also have to be with GET, because the pages are stored within functions for the layout. Thanks though. Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted April 9, 2009 Share Posted April 9, 2009 have the members session id store in the db when they login then, add the current session id to the url, ie. ?sid=<?php echo session_id(); ?> (will produce something like : c45fcbde91b00c8fcbb65c2310e0f2b1 .. i'm sure you know. then test that session id generated in the url against the one stored in the db when a member logs in, which is ultimately the session id of the member whose note is in question. or something like that anyways. if they don't match, they get the boot. Quote Link to comment Share on other sites More sharing options...
CloudSex13 Posted April 9, 2009 Author Share Posted April 9, 2009 Thanks man, that sounds like a great solution, actually. I was unaware you could do that with session id... Thanks! Quote Link to comment Share on other sites More sharing options...
gffg4574fghsDSGDGKJYM Posted April 9, 2009 Share Posted April 9, 2009 I don't know how you mysql table are done, but you should do something like that : Table 1 : user user.id int user.username varchar user.password varchar .... Table 2 : note note.id int note.content text note.creator_id int (containt the user.id who created the note) ... Each page you have do display/modify a note you should add : if logged user id (data coming from SESSION) user.id == note.creator_id (data coming from the POST/GET) if it don't redirect the user. You can't trust a POST or GET form, including a hidden field form. They are easy to change. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.