user2223224
Reputation: 107
Logic to prevent unauthorized change in CRUD in PHP?
I'm trying to model a PHP in CRUD and am wondering what is the best method to check the user's authorization so they can only edit their own content?
For example:
abc.com/post/delete.php?id=3
How do I prevent a logged in user from editing someone else's post?
My current method is:
- Store User ID in session after successful logged in
- When requesting DELETE method, load User_ID from session
- Query = DELETE FROM posts WHERE user_id = $user_id AND id = 3
In this way, if a user can modify the ID parameter, they cannot manipulate the stored session variable user_id.
Is this the correct method?
Upvotes: 1
Views: 201
Answers (1)
Filippo oretti
Reputation: 49843
i suggest to use your logic but i usually store user id + access token
Access token is an hash for example sha256(username+lastname+registered_datetime); and i put it to cookie
So you'll have an extra security field , just check if auth token is ok also when user logs
Upvotes: 1
Related Questions
- Laravel validate passed data and prevent user changes
- How to prevent Mysql database from being changed/updated/deleted?
- Codeigniter - How to prevent user from accessing data by entering random ID or Code
- Restrict user from unauthorized access
- Protecting against record ID manipulation
- How to secure UPDATE action in CakePHP?
- PHP - Prevent client from tampering the ID of a form
- How to not allow people manually changing html form code and submit
- cakePHP and authorization for CRUD operations
- how to prevent user to changing/deleting other user data