如何处理url修改php / mysql
I am having a problem in understanding the security issues with the following scenario. I have a site that has user registration and they can create events by logging in. If I am logged in as a user and i am in a url like http://abc.com/index.php?page=edit&pageid=45. I am seeing this page after logging in other wise it will show the log in screen..but after logged in and if I change the url from http://abc.com/index.php?page=edit&pageid=45 to http://abc.com/index.php?page=edit&pageid=567
I am able to edit that page..which is a security issue. how to handle this? is there a best way to handle any editing in the url? Please guide me. Or how can I handle this via scripting..by checking anything like username and it's association with the page id's?
please guide me.
I was thinking something like not showing the pageid variable in the url and somehow pass it as hidden from page 1 to page 2..but i don't know how to exactly do this or if it's a good solution at all.
regards
I think its fine passing the pageid in the url. So the next thing is, making sure the user can only edit their page. What I would do is save the users id in the table with the events.
Then on the edit page when you get the events information you can check the user id (from the table) with the user id from the person logged in.
Something like this
// I don't know how your query works, but it would go here.
// Then before you output the edit form, Add something like this
if( $_SESSION['user_id'] == $event_result['user_id'] ) {
// They match, show the form
}else {
// they don't match
echo 'Excuse me, what are you doing?';
}
one possibility is setting and using the $_SESSION variable to determine if a user is allowed to visit a certain page. Another possibility is to use post instead of get for your login form. let me know if i can elaborate.
edit:
<form method="get" action="login.php" name="form"></form>
vs
<form method="post" action="login.php" name="form"></form>
after login, you can set
<?php $_SESSION['user_id'] ?>
and at the top of the page you are using, you can have a statement like
<?php if($_SESSION['user_id'] != $_POST['pageid']{//not valid} ?>