Welcome Guest, Not a member yet? Register   Sign In
using id in url / security issue

I have userprofiles, classifieds and articels
and I do use '$this->uri->segment' in controller to get the single content in the template.
So you can read the user_id in the url (..index.php/profil/23.html).

Well, I do check user-rights in the model, but shouldn't I pass an user_id more confidental? I want to protect my users data. For example using an encrypt date for 'id' instead of using autoincreatment for 'id' in mysql?

How are you doing?
Greetings, Jan

First, a database ID is not user data... As long as you're checking the current user against the page they're trying to view, it really doesn't matter.

You can hash the id:

$user_id = $this->uri->segment(2);
$sql = "SELECT * FROM users WHERE MD5(CONCAT(first_name, id)) = '" . $user_id . '";

For example.

Theme © iAndrew 2016 - Forum software by © MyBB