[eluser]Rick Jolly[/eluser]
[quote author="jleequeen" date="1219869540"]Do I need to do additional checks against say customer_id to make sure they are who they are? Look for the customer_id in a session variable somewhere?[/quote]
Yes. There should be a link between sales records and customers. For example, each sales record could have a customer id as the foreign key. So you'd get the customer id from the session and do something like this:
Code:
Class Sales_model extends Model
{
function edit($id, $customer_id, $data)
{
$this->db->where('id', $id);
$this->db->where('customer_id', $customer_id);
$this->db->update('sales', $data);
}
}
Also, don't trust a hidden form field any more than the url.