CodeIgniter Forums
Security question - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Security question (/thread-9460.html)



Security question - El Forum - 06-25-2008

[eluser]ericbae[/eluser]
Hello,

Just want to get some ideas on what would be the best way to implement this type of feature.

I have a website where users can post something, and I am trying to enable "delete post" using something like this

myapp.com/post/delete/postID/2

which would call the "Post" controller and its "delete" function to delete the post with its ID number "2".

But wouldn't anyone be able to type in the above URL to delete any posts?

Obviously, I'll have to put some user validation + authorization, but does CodeIgniter offer something I can use? or how should I hide such information? what is the best way?


Security question - El Forum - 06-25-2008

[eluser]Aea[/eluser]
As long as you verify the user is "valid" for deleting said post (moderator, owner) you're "okay." The problem comes in people giving users that address to spoof them to deleting their own stuff, you can get around this problem by having a confirmation page, or sending the postID via POST (that way a simple url won't let a user delete something).