just though of a potential problem...

[imstillatwork]

After a user logs on I generaly save the the userid from the database to a cookie to track the user. so if a user modifies something that belongs to him/her It might look like UPDATE....WHERE userid = userid in cookie

What is stoping anyone from faking / altering a cookie after its set on their machine?

Whats a good practice to avoide this problem?

 

[TruthInSatire]

don't use cookies. use sessions.

If you don't ask the right questions, you don't get the right answers. A question asked in the right way often points to its own answer. Asking questions is the ABC of diagnosis. Only the inquiring mind solves problems.

-Quote by Edward Hodnett

 

[stilllwaiting]

I agree with bombboy, that you should use session information in your queries, and only set the session information once you've verified a user/password combination.

If you really need to store the user info in a cookie, store the password info as well, and make it a practice to always verify the validity of the user/password info before running a query. That way, if they do alter their cookie info, they'll still have to know the password of the account they're trying to access.