Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security question
Security question
  • El Forum
    Guest
  •  
#1
06-25-2008, 08:53 PM

[eluser]ericbae[/eluser]
Hello,

Just want to get some ideas on what would be the best way to implement this type of feature.

I have a website where users can post something, and I am trying to enable "delete post" using something like this

myapp.com/post/delete/postID/2

which would call the "Post" controller and its "delete" function to delete the post with its ID number "2".

But wouldn't anyone be able to type in the above URL to delete any posts?

Obviously, I'll have to put some user validation + authorization, but does CodeIgniter offer something I can use? or how should I hide such information? what is the best way?
  • El Forum
    Guest
  •  
#2
06-25-2008, 08:58 PM

[eluser]Aea[/eluser]
As long as you verify the user is "valid" for deleting said post (moderator, owner) you're "okay." The problem comes in people giving users that address to spoof them to deleting their own stuff, you can get around this problem by having a confirmation page, or sending the postID via POST (that way a simple url won't let a user delete something).




Theme © iAndrew 2016 - Forum software by © MyBB