Home/ Questions/Q 3279812
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T19:38:04+00:00

I am having a problem in understanding the security issues with the following scenario.

  • 0

I am having a problem in understanding the security issues with the following scenario.
I have a site that has user registration and they can create events by logging in. If I am logged in as a user and i am in a url like http://abc.com/index.php?page=edit&pageid=45. I am seeing this page after logging in other wise it will show the log in screen..but after logged in and if I change the url from
http://abc.com/index.php?page=edit&pageid=45
to
http://abc.com/index.php?page=edit&pageid=567

I am able to edit that page..which is a security issue. how to handle this? is there a best way to handle any editing in the url? Please guide me. Or how can I handle this via scripting..by checking anything like username and it’s association with the page id’s?

please guide me.

I was thinking something like not showing the pageid variable in the url and somehow pass it as hidden from page 1 to page 2..but i don’t know how to exactly do this or if it’s a good solution at all.

regards

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think its fine passing the pageid in the url. So the next thing is, making sure the user can only edit their page. What I would do is save the users id in the table with the events.

    Then on the edit page when you get the events information you can check the user id (from the table) with the user id from the person logged in.

    Something like this

    // I don't know how your query works, but it would go here.

// Then before you output the edit form, Add something like this
if( $_SESSION['user_id'] == $event_result['user_id'] ) {
    // They match, show the form
}else {
    // they don't match
    echo 'Excuse me, what are you doing?';
}
    • 0