I’ve been working on a problem most of the day. I need a little help. Here is the situation followed by my solution.
I have a page to modify existing entries in the database. I’m using a hyperlink to open these entries up to be modified. Since POST data cannot be transferred from one page to another through a hyperlink I am using the GET method instead. Works like a charm. Today, however, I realized that anyone can change the ‘id’ in the URL (Example http://domainname.com/update.php?id=346) with a different id and pull up the data (and modify that data) without any problem. All users are required to login but this makes no difference with the GET method.
SO… my solution was to compare the $_SESSION[‘user_id’] to the user id of the person who made the entry. If they don’t match then I would end the script and kick them back to the index page. Sounds simple enough. Here is my code that is not working and I can’t really figure out why. Any help would be great.
if ($user_uid != $userid) {
echo $userid;
echo $user_uid;
echo "you do not have permission to modify this record";
exit();
I have the two variables echoed out so I can see if they match or not. I have tried all sorts of different combinations and sometimes it works and sometimes it doesn’t there seems to be no rhyme or reason to it. Any help would be appreciated.
And anyone can change the value of a $_POST variable. I wouldn’t trust anything coming from a user. This sounds like an XY problem. The whole logic is just bad. In order to get whatever you want to “work”, you have to think about the logic first before you start coding. The main problem for you is that you are allowing anyone to go into those pages without having the right credentials. That they only need to be logged in. The solution is to check whether or not the current user is the author of the post. Not the current author of the $_POST variable. If they are the original author of the actual post, then they are allowed to modify whatever that page is. If they aren’t the author, then redirect them back to the index page.
Actually, that is the intent. I didn’t put it clearly enough.
How would I go about doing this? The code I posted compares the the author of the post ($user_uid) with the current user ($userid). I somehow feel that the code I’m using is inadequate but I haven’t been able to find anything that will show me how to do it, or I’m just not looking hard enough. I only ask for help if I really need it, so, believe me when I say that any help given is very appreciated.
Figured it out. Sloppy code a while back put a space after the user ID so it was finding some of the user ID’s that were the same were actually different.
I discovered something else called strcmp(). Works great.
You’ve got it right about sloppy code. But the rest is incorrect. Again, the original author shouldn’t be coming from a $_POST variable. This can be modified. For instance, if the author has the ID of 1 and submits the form, it’ll go through. What if you changed the value from 1 to say 5 to match the current ID? He will be able to go through this flawed logic. Again, this is incorrect which is what I am telling you. You should be comparing it with the original author’s ID from the database.