Member Avatar for andydeans

Hi,

I have used Dreamweaver to create my php/mysql data driven site.

I have managed to secure the site with it and generate my pages.

problem is users should only see their own clients which works on the results page, however if say UserID 1 had a client registered to him of ClientID 2 and then UserID 2 wanted to view this all he has to do is in the url change the clients_Detail.php?ClientID=2 in his browser and it brings it up.

is there a way to encrypt the url? add it at the top of my details page?

i have seen base64 mentioned on some forums but looks not that secure or would it do the job?

appreciate anyones help.

  • 4 Contributors
  • 4 Replies
  • 85 Views
  • 21 Hours Discussion Span
  • Latest Post Latest Post by SKANK!!!!!

Recommended Answers

All 4 Replies

Member Avatar for Forged

Well really ID couldn't truly be encrypted into a URL. There's always someone that will figure it out.

What you should be doing is a check in your PHP / mySQL query to see if the ID exists for the user.

So here's a scenario:

User has an ID of 1
They have 2 clients with ID's of 5 and 6

Another user the ID of 2
With 2 more clients of ID's 7 and 8

In your query, you could do something similar to this:
"SELECT * FROM clients WHERE user_id = $user_id AND client_id = $client_id"

If no results show up, display an error like "No Client Found".
This way, no one can find a clients details simply by changing the URL.

Member Avatar for andydeans

thanks for your help, could i do this with 2 access groups?

i have an admin and users group. the users would only see the clients that = to their userid, but admin should see them all?

thanks again

Member Avatar for urtrivedi

when some ones login into your system. Determine the access level and store it in a session varaible.
then whereever you are querying your database you may write follwoing code.

if($_SESSION['accesslvl']=1) //for example 1 is for admin

      $query="SELECT * FROM clients WHERE client_id = $client_id";
else //otherwise
      $query="SELECT * FROM clients WHERE user_id = $user_id AND client_id = $client_id"
Edited by urtrivedi because: n/a
Member Avatar for SKANK!!!!!

use sessions, if there session variable doesnt match the id in the url deny acces

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.