0

Hi,

I have used Dreamweaver to create my php/mysql data driven site.

I have managed to secure the site with it and generate my pages.

problem is users should only see their own clients which works on the results page, however if say UserID 1 had a client registered to him of ClientID 2 and then UserID 2 wanted to view this all he has to do is in the url change the clients_Detail.php?ClientID=2 in his browser and it brings it up.

is there a way to encrypt the url? add it at the top of my details page?

i have seen base64 mentioned on some forums but looks not that secure or would it do the job?

appreciate anyones help.

4
Contributors
4
Replies
5
Views
7 Years
Discussion Span
Last Post by SKANK!!!!!
0

Well really ID couldn't truly be encrypted into a URL. There's always someone that will figure it out.

What you should be doing is a check in your PHP / mySQL query to see if the ID exists for the user.

So here's a scenario:

User has an ID of 1
They have 2 clients with ID's of 5 and 6

Another user the ID of 2
With 2 more clients of ID's 7 and 8

In your query, you could do something similar to this:
"SELECT * FROM clients WHERE user_id = $user_id AND client_id = $client_id"

If no results show up, display an error like "No Client Found".
This way, no one can find a clients details simply by changing the URL.

0

thanks for your help, could i do this with 2 access groups?

i have an admin and users group. the users would only see the clients that = to their userid, but admin should see them all?

thanks again

0

when some ones login into your system. Determine the access level and store it in a session varaible.
then whereever you are querying your database you may write follwoing code.

if($_SESSION['accesslvl']=1) //for example 1 is for admin

      $query="SELECT * FROM clients WHERE client_id = $client_id";
else //otherwise
      $query="SELECT * FROM clients WHERE user_id = $user_id AND client_id = $client_id"

Edited by urtrivedi: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.