Welcome Guest, Not a member yet? Register   Sign In
Passing ID in url without letting others users manipulate it when editing forms
#1

[eluser]jleequeen[/eluser]
Hello All,

I've got a quick little question regarding edit forms. When I pass the "id" from the database table to the view which decides which field to edit, how I keep someone from manipulating the ID in the URL and updating something they should. For example I have a form with the URL of:

Code:
sales/edit/123

Obviously I would love to pass just the ID through to the edit method of the sales controller, but what keeps someone from just adjusting the id parameter in the URL and editing someone elses record? Do I need to do additional checks against say customer_id to make sure they are who they are? Look for the customer_id in a session variable somewhere? My simplified model looks like this:

Code:
Class Sales_model extends Model
{
    function edit($id, $data)
    {
        $this->db->where('id', $id);
        $this->db->update('sales', $data);
        return TRUE;
    }
}

Maybe I'm not seeing something, but I guess I just don't see what keeps one customer from fudging the URL and updating another companies record.


Messages In This Thread
Passing ID in url without letting others users manipulate it when editing forms - by El Forum - 08-27-2008, 09:39 AM



Theme © iAndrew 2016 - Forum software by © MyBB