dlf1987 Posted March 23, 2011 Share Posted March 23, 2011 I built a address book for customers and i realize now im not sure the best way to allow the customer to edit/delete their addresses, but stopping them from pulling/editing other customers info. Even if i use post data only they could still view the page source and see the address ID being posted to the next page and change it, to see or edit someone elses data... Should i encrypt the ID? Is that even good enough? Im using PHP/MYSQL Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 23, 2011 Share Posted March 23, 2011 You would typically put the ID of the data being referenced on the end of the URL ?id=some_id_number AND you would check on each page if the current visitor has permission to operate on that ID (his ID is the same as the ID from the end of the URL.) So, if your login system has a $_SESSION['userid'] variable - <?php session_start(); // start/resume the session if($_SESSION['userid'] == $_GET['id']){ // the current logged in visitor OWNS the id being operated on // allow the visitor access to the operations on this page... } else { // the current logged in visitor does not match the id being operated on, just let him view the data or redirect him somewhere else on the site } ?> Quote Link to comment Share on other sites More sharing options...
dlf1987 Posted March 23, 2011 Author Share Posted March 23, 2011 I didnt know if there was a fancier/better way of doing it. Thanks, thats what ill do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.