Sending ID in URL

[d0nny]

I want to try and learn the different methods of editing records in my database as I feel the current method is slightly insecure.

Currently, I list all the records I have and wrap one of the fields with an edit link using the record ID.
The issue is I send the ID through the URL, so my link will look like this:

<a href='editusers.php?id=$row[0]'>Edit</a>

And my URL would like like this:

[URL unfurl="true"]http://www.blah.co.uk/admin/editusers.php?id=8[/URL]

I suppose the issue with this is that a user could simply change the ID in the URL and possibly pick up another user.

So my question is, Is there a more secure way of sending data for editing where the end user doesn't have sight of the ID of the record to be edited?

 

[feherke]

Hi

Is that link for regular users to edit their own profile ? If yes, there should be no parameter. You store the ID in the session when the user logs in, then edit the profile according that stored ID.

Feherke.

http://rootshell.be/~feherke/

 

[jpadie]

d0nny, i know we're talking about this offline too but should I give up on you for the UI of the user management and holiday management programs? i see that you've probably moved on.

Either of these would most likely have shown you the answer to the above question, and Feherke answers it as I would have.

For editing other records, you must let the user change all parameters as they like; but always validate their choice at the server. always check whether a user has the necessary _rights_ to perform an _action_. This is what a full function user (and role) management application does for you. For example in the script I am (slowly) writing you would say something like

if ($activeUser->canEdit('user', $userID)){
 //show edit form
} else {
 echo "You are not authorised to perform that action";
}

 

[d0nny]

This issue relates to a system I have developed (very cruedly) that basically pulls in a different menu include for different users. I got the solution on this board and I know its not ideal in terms of a full role management system, but it does the job for me.

So, there are a couple of users who I consider ADMIN users and have access to an ADMIN menu which includes a link to list and edit users. So these admin users have access to all other users and can edit them as they like.

[red]jpadie[/red] - I know we have discussed this offline and I am still VERY interested in your system, both for a more definitive role management system and also the holiday system (which I still haven't sorted out yet).

 

[jpadie]

however you dress it up, though, for every action that you allow a user to make on the server you must:

1. authenticate the user; and
2. validate the user's authorisation.

whether you do it with some abstraction layer like mine or through a 'cruder' method is irrelevant: that's what you've got to do!

 

[jpadie]

one thought as a quick fix for you. have you considered using wordpress to manage your site? if you did then you could use it's user and role management applications and then just add your pages into the site or the site admin. very rapid development that way, and totally flexible. I find that WP has the shallowest learning curve too.