Login

12-12-2007, 01:44 PM

[eluser]Negligence[/eluser]
To make it secure, you have to do either one or two things.

1) Ensure that the database record is valid before you do anything with it. I've seen too many applications that don't check to see if an ID exists before operating with it.

2) If necessary, check that the database record belongs to, or is editable, by the current user. If not, stop what you're doing.

These two steps are simple and they go a long way towards making your application less susceptible to security problems.

In response to your solution Michael, a better approach is to store the record ID in the session, do not use it in the URL/form, and retrieve it after the form has been submitted. This way the ID itself cannot be tampered with it all, making the process foolproof.