0

I'm making a B2B portal that can see just loggedin business customers that I add to base, I finished almost all, but there is one problem.
When customer add some goods to his cart, goes to checkout and confirm his order he will have a link to invoice.php?ids=156 and that will appers just in his profile and not in profile of other customers but if he change ids number like this invoice.php?ids=150 he will see content although he did not create that purchase.
This is not a big problem if someone does not try to change ids of invoice.php and compromise the privacy of another user.

As I said in the title I need to make partially page user access restrictions, to all users can see page but same page with "ids?=" can see just user that create that page.

I apologize for the bad English.

Does anyone have an idea?
Thanks in advance!

2
Contributors
3
Replies
5
Views
4 Years
Discussion Span
Last Post by urtrivedi
1

IN your sql query to load invoice details, you add one more condition to filter records based on login id.

$query="select * from invoice where invoieno='{$_GET[ids]}' and USERID='{$_SESSION['userid']}'";

Edited by urtrivedi

Votes + Comments
Solved my problem.
0

That query solved my problem. Thank you very much!
Is there any chance to insert some text in restricted access page?

Edited by logicaweb: One more question.

1

if recordcount of query is zero then you can give message and exit page

if($row['invoiceno']!=$_GET['ids'])
{
   echo "Permission denied";
   exit;
}
Votes + Comments
Thank you again! You're the no.1! :)
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.