Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Best way to prevent logged in users from messing with ID passed in query strings?
Best way to prevent logged in users from messing with ID passed in query strings?
  • El Forum
    Guest
  •  
#1
12-08-2009, 12:55 PM

[eluser]jleequeen[/eluser]
Hello,

I'm looking for the best way to keep a logged in user from messing with query strings. For example, let's say I have an editable form where a user can update his application settings. So the URL is:

http:/www.domain.com/settings/edit/id

How do I prevent a logged in user from just manually entering another users id and having access to their settings? I'm sure this is probably a stupid question, but I would like to know how others prevent this sort of thing. I thought about putting a check in either the controller or model that checks against the session to make sure the logged in ID is the one that is trying to make the update, but I'm not sure what the best way is. Sorry if I am not explaining it very well. Any help would be greatly appreciated.

Thanks.
  • El Forum
    Guest
  •  
#2
12-08-2009, 01:12 PM

[eluser]Jeroen Brussich[/eluser]
I assume users have to log in to edit their settings?
And you use sessions to check whether the user is logged in?

If so, load the correct form (or update the correct row, or whatever) based on the user_id in the session and just remove the id from the uri: http:/www.domain.com/settings/edit/
  • El Forum
    Guest
  •  
#3
12-08-2009, 01:16 PM

[eluser]jleequeen[/eluser]
I was working on something similar to that. My only problem with that is, I have a regular user, and then a admin user. The admin would need to be able to edit the users settings as well. So, obviously when the user logs in, i can grab his id in the session. But when a admin user logs in, I would need someway to get the initial user id to edit and put that into the session wouldn't I?
  • El Forum
    Guest
  •  
#4
12-08-2009, 01:57 PM

[eluser]Colin Williams[/eluser]
Some pseudo code:

Code:
/**
* Setting access
*
* Returns TRUE if user can edit settings
*/
function setting_access($user, $id)
{
  // Assuming $id is from the URI and is the user id
  return $user->uid == MASTER_USER_ID or $user->uid == $id;

  // Assuming the user object has roles
  return in_array('admin', $user->roles) or $user->uid == $id;
}

It's just simple logic. No need to over think it
  • El Forum
    Guest
  •  
#5
12-09-2009, 11:15 AM

[eluser]attos[/eluser]
My personal opinion is not to trust the client (the browser in this case). What I do is to keep the id in the session. When the user successfully logs in I set the id in the session (BTW I use database sessions) and retrieve it for every request.
I do not allow users to change their id. It's an auto-generated database field value. I see no reason to change it. What can be used is a username. This can be be changed as long as it's not taken by somebody else.
  • El Forum
    Guest
  •  
#6
12-09-2009, 11:23 AM

[eluser]Jeroen Brussich[/eluser]
I second that: never ever trust the user.
Like Terry Pratchett said on April 23, 2001
Quote:Some humans would do anything to see if it was possible to do it. If you put a large switch in some cave somewhere, with a sign on it saying "End-of-the-World Switch. PLEASE DO NOT TOUCH," the paint wouldn't even have time to dry.




Theme © iAndrew 2016 - Forum software by © MyBB