Welcome Guest, Not a member yet? Register   Sign In
using id in url / security issue
#1

[eluser]Jan_1[/eluser]
Hi!
I have userprofiles, classifieds and articels
and I do use '$this->uri->segment' in controller to get the single content in the template.
So you can read the user_id in the url (..index.php/profil/23.html).

Well, I do check user-rights in the model, but shouldn't I pass an user_id more confidental? I want to protect my users data. For example using an encrypt date for 'id' instead of using autoincreatment for 'id' in mysql?

How are you doing?
Greetings, Jan
#2

[eluser]danmontgomery[/eluser]
First, a database ID is not user data... As long as you're checking the current user against the page they're trying to view, it really doesn't matter.

You can hash the id:
Quote:index.php/profile/d389a39f4584dfd3f53cdc453db9a925.html

Code:
$user_id = $this->uri->segment(2);
$sql = "SELECT * FROM users WHERE MD5(CONCAT(first_name, id)) = '" . $user_id . '";

For example.




Theme © iAndrew 2016 - Forum software by © MyBB