[eluser]Michael Wales[/eluser]
The real problem is the insecurity within your form processor. It doesn't really matter if people can change the ID within the URL and it doesn't matter how you hash it or obfuscate it - when you get to the root of the problem: users should not be allowed to view/edit other user's records, yet they can.
Solve that and you solve your problem.
Since we don't really know anything about your application I'm just going to assume there is a user_id field associated with each record. That user_id acts as a foreign key to your users table, ensuring that the record in question belongs to a real, legitimate, authenticated user.
If this is the case, it's as simple as an if...then statement within the first line of your method. Psuedo-code below:
Code:
function view($id) {
$this->load->model('record');
$record = $this->record->get($id); // Using our model to return an object representing our record
// Is this one of our authenticated user's records?
if ($record->user_id !== $this->session->userdata('user_id')) {
// Nope - GTFO!
redirect('');
return;
}
// This is one of our user's records - show them the form
$this->load->view('records/view');
}
Copy/paste and your edit method has a great starting point.
