bplogan Posted November 2, 2007 Share Posted November 2, 2007 I am a novice to php. I am trying to make a feature so users of my site can update their profile infomation like phone number, email, etc. From the users main page, they click "edit my profile info" which is a link, the code for it is: <a href="editProfile.php?id=123"> (The 123 is their userID which gets passed from when they log in. This takes them to the editProfile.php page and shows them their current info in editable textboxes. Their info is fetched from a MySQL database based on the "id" passed from the link above. The problem is, that I can just type in the address bar, mysiteUrl/editProfile.php?id=456, and it will let me change the person who is user ID 456's profile info. For example if someone had the userID od 222, I could type "mySiteURL/editProfile.php?id=222" into my browser and change their info. So anyone can just type in a userID and change things. How can I stop this? Can I hide the "id=XXX" somehow, so it isn't visible? Or am I going about his completely wrong? Any help would be greatly appreciated!! Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 2, 2007 Share Posted November 2, 2007 you must be having some sort of login before that so when a user logs in store the id in the Session and pick up the id from the session instead of get Quote Link to comment Share on other sites More sharing options...
bplogan Posted November 2, 2007 Author Share Posted November 2, 2007 Thanks! I'll give it a shot Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.