Home/ Questions/Q 6869133
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T03:31:12+00:00

With the URL Structure like http://www.site.com/user/1 , is it a security risk? For example

  • 0

With the URL Structure like http://www.site.com/user/1, is it a security risk?

For example like here http://stackoverflow.com/users/edit/1

Isn’t this a security breach. How can I avoid this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Please explain why you think it is a security breach.

    If you mean that a user can simply change the number to access another user’s edit page, yes they can. That can also be done with POST, the body can manually be altered (for example by creating a local html file that posts to your page, or by altering the body using a browser plugin).

    You should however use a check on every page, to see whether the currently logged on user has the right to perform the action(s) that are performed on that page.

    It can simply be done by:

    $userIdToEdit = $_GET['ID'];

if ($userIdToEdit != $_SESSION['loggedOnUserId'])
{
    redirect("/NotAllowed"); // Deny access to the page
}

// if we end up here, the user may perform this action, like store POSTed data in db

    However, while you have all flexibility you want, you might be repeating checks throughout pages. A solution to this would be using RBAC, where it would become like this:

    checkRole(EditOwnProfile); // only logged on users may do this, redirects to /NotAllowed if necessary

// and check for another role 
$userIdToEdit = $_GET['ID'];
if ($userIdToEdit != $_SESSION['loggedOnUserId'])
{
    checkRole(EditOtherProfile); // admins may do this for example
}
    • 0