Jump to content

Problem with ID numbers

doddsey_65

By doddsey_65
in PHP Coding Help

 Share

Recommended Posts

doddsey_65 Advanced Member

doddsey_65

Posted
Posted

I have a message system that i have just made on my site. when the user clicks on their message in their inbox it takes them to inbox.php?id=the id of the message, and this is displayed through the (isset($_GET['id'])) method. But whats to stop the user typing into the address bar inbox.php?id=22 or whatever. This would allow the user to see messages sent to and from other members. all they hve to do is get lucky with the id. Is there anyway to get around this?

Link to comment
https://forums.phpfreaks.com/topic/197404-problem-with-id-numbers/
Share on other sites
mikesta707 Member

mikesta707

Posted
Posted

what does your query look like. what does your table look like? I assume each message has a to and from column. You could simply check in the query that id=$_GET['id'] AND user=$username where $username is the currently logged in user (perhaps you store this value in a session when they log in? well if you don't adding that functionality is trivial)

ialsoagree Newbie

ialsoagree

Posted
Posted

I have a message system that i have just made on my site. when the user clicks on their message in their inbox it takes them to inbox.php?id=the id of the message, and this is displayed through the (isset($_GET['id'])) method. But whats to stop the user typing into the address bar inbox.php?id=22 or whatever. This would allow the user to see messages sent to and from other members. all they hve to do is get lucky with the id. Is there anyway to get around this?

 

There's nothing to stop a user from typing in any url they want. Since you can't prevent that, you need to code accordingly. Instead of just displaying the message if someone requests it, display the message only when it's requested by one of the message's recipients, or the person who sent the message.

 

In other words, before you display the message, check to see if the user requesting the message is one of the people the message was to, or the person who sent the message. If it's not, display some kind of error, warn the user to stop trying to abuse the system, forward them to an index page, or whatever else you feel is appropriate.

ignace Advanced Member

ignace

Posted
Posted

I have a message system that i have just made on my site. when the user clicks on their message in their inbox it takes them to inbox.php?id=the id of the message, and this is displayed through the (isset($_GET['id'])) method. But whats to stop the user typing into the address bar inbox.php?id=22 or whatever. This would allow the user to see messages sent to and from other members. all they hve to do is get lucky with the id. Is there anyway to get around this?

 

Query with both $_GET['id'] as you $_SESSION stored user_id

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.