My website allows user accounts, and users can upload and delete images. For deleting an image this js is called:
Code:
xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "<?php echo base_url(); ?>index.php/controller/method?id=" + id, true);
xmlhttp.send();
The problem is, I can manually load
domain.com/index.php/controller/method?id=xx
and I could delete another user's image.
What is the correct way of fixing this issue?