+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: How to change "id" in url (/showthread.php?tid=70090)
How to change "id" in url - kelapamuda - 02-19-2018
If my website is : web.com/index.php/z_tbl_user/update/119.
What i afraid is then visitor could change it to be this : web.com/index.php/z_tbl_user/update/120.
To prevent this i want to change so the visitor see is something like this : web.com/index.php/z_tbl_user/update/whscbscbxncbxn922.
So how to change the 119 to be some alphabet that is random?Are there any library or function? I google but i still confuse how to implement
Thanks for help.
RE: How to change "id" in url - Avenirer - 02-19-2018
You could encrypt/decrypt the id. But my question is why would you want someone to be able to update a record but not another record and not mention that in the table (like, for example, updater_id or owner_id).
RE: How to change "id" in url - kelapamuda - 02-19-2018
Because it has login system, and user after login, he only could see his own data and edit his own data. But the situation now, if his id is 15, he could update another person's data by change his "id" at the end of URL. He change to 16, then what shown is data id number 16. I afraid this is dangerous of course.
RE: How to change "id" in url - jreklund - 02-19-2018
You need to protected it with PHP code. Encrypting URL ID's are not the solution.
1. Get ID from url
2. Check that user have write/update access to that ID
3. Save or return access denied.
3.1 Ban users, there are no reason for them to change ID (not in my application at least).
RE: How to change "id" in url - Avenirer - 02-19-2018
(02-19-2018, 02:15 AM)kelapamuda Wrote: Because it has login system, and user after login, he only could see his own data and edit his own data. But the situation now, if his id is 15, he could update another person's data by change his "id" at the end of URL. He change to 16, then what shown is data id number 16. I afraid this is dangerous of course.
That's exactly my point. If he can edit his own data only why pass the I'd in URL? You have the user id the session data. And you retrieve that id from there when updating...
RE: How to change "id" in url - InsiteFX - 02-19-2018
I have to agree @Avenirer, that is nothing but a security hole in your application...
RE: How to change "id" in url - kirasiris - 02-19-2018
(02-19-2018, 01:03 AM)kelapamuda Wrote: If my website is : web.com/index.php/z_tbl_user/update/119.
What i afraid is then visitor could change it to be this : web.com/index.php/z_tbl_user/update/120.
To prevent this i want to change so the visitor see is something like this : web.com/index.php/z_tbl_user/update/whscbscbxncbxn922.
So how to change the 119 to be some alphabet that is random?Are there any library or function? I google but i still confuse how to implement
Thanks for help.
I thing you just have to wrap the form in an if statement, for example(that's how I have it right now):
![[Image: Capture.jpg]](https://image.ibb.co/m3r8RS/Capture.jpg)
and as a guy already said, if you have a function to ban users who are just changing their id to see if they can mess with somebody else .... then do it.... make sure to put the form_submit and form_close before the else stament.