so I have a question.
I have this project to school, I have a website with a form and database. Basically after successful form validation input is inserted into database and after that they are redirected using echo ‘script’ to a summary page which will print inputted values.
So on the summary page is a SQL search which is using WHERE clause plus ID stored in URL by GET method from the script. My question is how can I prevent someone changing the ID in the URL and read input from other users.
I was thinking maybe session could work, but I cant think about a reasonable solution. Thank you for help.
2
Answers
Non-sequential ids would be a band-aid over the problem. But at heart, if you want the page to not be public, you need to require them to have a session that restricts what they can see. Crudely, you can simply return with the redirect a cookie containing the id they are allowed to see and a cryptographic signature that you can verify when they do the get. Somewhat better is to have the cookie contain a session id, and store session information (the id they are allowed to see) in your database.
You could do something like that :