Welcome Guest, Not a member yet? Register   Sign In
Passing ID in url without letting others users manipulate it when editing forms
#4

[eluser]Rick Jolly[/eluser]
[quote author="jleequeen" date="1219869540"]Do I need to do additional checks against say customer_id to make sure they are who they are? Look for the customer_id in a session variable somewhere?[/quote]
Yes. There should be a link between sales records and customers. For example, each sales record could have a customer id as the foreign key. So you'd get the customer id from the session and do something like this:
Code:
Class Sales_model extends Model
{
    function edit($id, $customer_id, $data)
    {
        $this->db->where('id', $id);
        $this->db->where('customer_id', $customer_id);
        $this->db->update('sales', $data);
    }
}

Also, don't trust a hidden form field any more than the url.


Messages In This Thread
Passing ID in url without letting others users manipulate it when editing forms - by El Forum - 08-27-2008, 11:03 AM



Theme © iAndrew 2016 - Forum software by © MyBB