[eluser]jleequeen[/eluser]
Hello All,
I've got a quick little question regarding edit forms. When I pass the "id" from the database table to the view which decides which field to edit, how I keep someone from manipulating the ID in the URL and updating something they should. For example I have a form with the URL of:
Obviously I would love to pass just the ID through to the edit method of the sales controller, but what keeps someone from just adjusting the id parameter in the URL and editing someone elses record? Do I need to do additional checks against say customer_id to make sure they are who they are? Look for the customer_id in a session variable somewhere? My simplified model looks like this:
Code:
Class Sales_model extends Model
{
function edit($id, $data)
{
$this->db->where('id', $id);
$this->db->update('sales', $data);
return TRUE;
}
}
Maybe I'm not seeing something, but I guess I just don't see what keeps one customer from fudging the URL and updating another companies record.
