I'm making a B2B portal that can see just loggedin business customers that I add to base, I finished almost all, but there is one problem.
When customer add some goods to his cart, goes to checkout and confirm his order he will have a link to invoice.php?ids=156 and that will appers just in his profile and not in profile of other customers but if he change ids number like this invoice.php?ids=150 he will see content although he did not create that purchase.
This is not a big problem if someone does not try to change ids of invoice.php and compromise the privacy of another user.

As I said in the title I need to make partially page user access restrictions, to all users can see page but same page with "ids?=" can see just user that create that page.

I apologize for the bad English.

Does anyone have an idea?
Thanks in advance!

Recommended Answers

All 3 Replies

IN your sql query to load invoice details, you add one more condition to filter records based on login id.

$query="select * from invoice where invoieno='{$_GET[ids]}' and USERID='{$_SESSION['userid']}'";
commented: Solved my problem. +0

That query solved my problem. Thank you very much!
Is there any chance to insert some text in restricted access page?

if recordcount of query is zero then you can give message and exit page

   echo "Permission denied";
commented: Thank you again! You're the no.1! :) +0
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.