Welcome Guest, Not a member yet? Register   Sign In
How to change "id" in url
#1

If my website is : web.com/index.php/z_tbl_user/update/119.
What i afraid is then visitor could change it to be this : web.com/index.php/z_tbl_user/update/120.
To prevent this i want to change so the visitor see is something like this  :   web.com/index.php/z_tbl_user/update/whscbscbxncbxn922.
So how to change the 119 to be some alphabet that is random?Are there any library or function? I google but i still confuse how to implement
Thanks for help.
Reply
#2

You could encrypt/decrypt the id. But my question is why would you want someone to be able to update a record but not another record and not mention that in the table (like, for example, updater_id or owner_id).
Reply
#3

Because it has login system, and user after login, he only could see his own data and edit his own data. But the situation now, if his id is 15, he could update another person's data by change his "id" at the end of URL. He change to 16, then what shown is data id number 16. I afraid this is dangerous of course.
Reply
#4

You need to protected it with PHP code. Encrypting URL ID's are not the solution.

1. Get ID from url
2. Check that user have write/update access to that ID
3. Save or return access denied.
3.1 Ban users, there are no reason for them to change ID (not in my application at least).
Reply
#5

(02-19-2018, 02:15 AM)kelapamuda Wrote: Because it has login system, and user after login, he only could see his own data and edit his own data. But the situation now, if his id is 15, he could update another person's data by change his "id" at the end of URL. He change to 16, then what shown is data id number 16. I afraid this is dangerous of course.

That's exactly my point. If he can edit his own data only why pass the I'd in URL? You have the user id the session data. And you retrieve that id from there when updating...
Reply
#6

I have to agree @Avenirer, that is nothing but a security hole in your application...
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#7

(02-19-2018, 01:03 AM)kelapamuda Wrote: If my website is : web.com/index.php/z_tbl_user/update/119.
What i afraid is then visitor could change it to be this : web.com/index.php/z_tbl_user/update/120.
To prevent this i want to change so the visitor see is something like this  :   web.com/index.php/z_tbl_user/update/whscbscbxncbxn922.
So how to change the 119 to be some alphabet that is random?Are there any library or function? I google but i still confuse how to implement
Thanks for help.

I thing you just have to wrap the form in an if statement, for example(that's how I have it right now):

[Image: Capture.jpg]

and as a guy already said, if you have a function to ban users who are just changing their id to see if they can mess with somebody else .... then do it.... make sure to put the form_submit and form_close before the else stament.
I do Front-End development most of the time 
Reply




Theme © iAndrew 2016 - Forum software by © MyBB