Confirmation Idea...

[phpSensei]

I need help with a certan idea I have for confirmation of something in mysql. it can either be registration confirmation, or comment confirmation.

 

My idea works, but I do not know if this is the right way of doing it really...

 

i have a movie website where a users can post a movie, but the movie needs confirmation. so in my database, I have a "confirmed" boolean row. If the Row is "YES", this means the movie will be shown on the page, and no means its still pending...

 

in my admin section, I have a list of movies where the confirmation row equals NO. So once, I check if it isnt spam, I just update the confirmation row to a yes....

 

Is this correct, or will I suffer some security issues..??

[MadTechie]

seams ok,

also on all other SQL statements add

AND confirmation_field = 'Yes'

 

[Psycho]

Not enough information here. Not really sure what you are getting at.

 

The only security concerns would be to ensure that non-admin users cannot access the confirmation pages. This meanse you should validate the user on every page (i.e. they can't get around the login page by linking to one of the inner pages directly). And this alsi includes any processing pages that may not actually be "visible" pages. For example, when you select movies to confirm you may then post the form to a processing page, which when done processing redirects to a page that let's you know the results. That processing page, which produces no HTML output needs to ensure that someone can't post data to it directly (this is a low threat since someone would need to know what field names to use).

 

Also, you would want to ensure that the movies on your site cannot be directly linked to. Otherwise, it would be possible for someone to submit a movie to your site and then post links on the net to the "to be confirmed" video. In essence they would be using you for free hosting.

[phpSensei]

The Movies Are Posted, and they link to another site...

 

Good Point, though I am carefull..