CodeIgniter Forums
What's more secure than? when showing user id data - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: What's more secure than? when showing user id data (/showthread.php?tid=70962)



What's more secure than? when showing user id data - kirasiris - 06-22-2018

So here I am playing again with CodeIgniter and I tried modifying my User controller and some private pages and I just realized that when accessing to pages like "cart.php" I can do this in order to show their cart( of current the logged in user).

Controller
PHP Code:
public function cart($id)
    {
        
        
// Check Login
        
if($this->session->userdata('user_id') != $id) {
            
// otherwise redirect to...
            
redirect('store/index');
            
 
       }

 
       // Load Library
 
       $this->load->library('cart');
    
        
$data['title'] = 'My Cart';
        
        
$data['cart'] = $this->Store_model->get_cart($id);
                    
        
        
// Load Template
        
$this->template->load('public' 'default''store/cart'$data);
                
    } 

Model:
PHP Code:
    public function get_cart($id){
 
       
        $this
->db->where('user_id'$id);
 
       
        $query 
$this->db->get('ci_cart');

        if(
$query->num_rows() > 0){
            return 
$query->result();
        } else {
            return 
false;
        }    
                
 
   

and the one I just realized which I think looks nicer to avoid having urls like(notice that I don't pass vars):
Code:
"example.com/cart/1/kirasiris"

new Controller function:
PHP Code:
public function cart()
    {
        
        
// Check Login
        
if($this->session->userdata('user_id') != $this->session->userdata('user_id')) {
            
// otherwise redirect to...
            
redirect('store/index');
            
 
       }

 
       // Load Library
 
       $this->load->library('cart');
    
        
$data['title'] = 'My Cart';
        
        
$data['cart'] = $this->Store_model->get_cart();
                    
        
        
// Load Template
        
$this->template->load('public' 'default''store/cart'$data);
                
    } 

new Model function:
PHP Code:
    public function get_cart(){
 
       
        $this
->db->where('user_id'$this->session->userdata('user_id'));
 
       
        $query 
$this->db->get('ci_cart');

        if(
$query->num_rows() > 0){
            return 
$query->result();
        } else {
            return 
false;
        }    
                
 
   

which just create a simple url like:

Code:
"example.com/cart/1/kirasiris"

So yes, I'm just wondering what is the best approach. If somebody can tell me I will be very grateful


RE: What's more secure than? when showing user id data - Pertti - 06-22-2018

Is the Cart controller for open shopping basket?

Assuming one client will ever only have one basket open at any time, you could just use user_id from session, and fetch any (well, one) open carts where user_id = session user_id, and there's no need to send cart IDs back and forth via URL.

Alternatively, if carts do have IDs, you can also use session user_id with query without putting it on URL:
SELECT * FROM cart WHERE id = ID from URL AND user_id = user_id from session.

Having user_id on URL and then in session I don't think adds much to security, it's kind of checking one thing to itself?