[eluser]123wesweat[/eluser]
Hi,
I notice i only check if an user is logged in and then he can delete records from table education. Like /education/delete/userid/educationid
but it's also possible to delete someone else his records if you have the right userid + educationid.
What would be good practice to prevent this??
store an unique number in table education??
or check if the user_id equals uri segment x if true
Code:
if($user_id == $this->uri->segment(3) )
{
can delete
} else [
echo 'but why?';
}
Any tips suggestions??