Deny other users to edit someone else's cards

Question

I'm making an update page where users can edit their business cards' informations, like phone, address.. The problem is, I'm getting their cards id in this way:

 <a href="update.php?id=<?php echo $record['id']; ?>" class="btn btn-succes" role="button">Edit</a>

so they can see their card id in the search bar and if they just simply change the id, they can edit anyone's card informations. I wanted to check if the user's id equals to his card userid - (this is a foreign key in the database) and if not, redirect him to the index page. The problem is, I'm still allowed to edit anyone's card because the userid doesn't change.

my update code:

session_start();
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'reg');

/* Attempt to connect to MySQL database */
$mysqli = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($mysqli === false){
    die("HIBA: Nem sikerült csatlakozni. " . mysqli_connect_error());
}



$id = $_GET['id'];

var_dump($_SESSION);
if (isset($_POST['submit'])) {
    $name = $_POST['name'];
    $phone = $_POST['phone'];
    $phone2 = $_POST['phone2'];
    $email = $_POST['email'];
    $zipcode = $_POST['zipcode'];
    $address = $_POST['address'];
    $job = $_POST['job'];
    $description = $_POST['description'];
    $userid = $_SESSION['id'];

    if( $_SESSION['id'] != $userid){
      header("Location: index.php");
     }





    $stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, job=?, description=?, visibility=?, confirmed=?  WHERE id = ?');

    if (
        $stmt &&
        $stmt->bind_param('ssssisssii', $name, $phone, $phone2, $email, $zipcode, $address, $job, $description, $visibility, $confirmed) &&
        $stmt -> execute()
        ) {
            echo 'Updated';
    } else {
        echo $mysqli -> error;
    }
} 


$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");

if ($getstmt and
    $getstmt->bind_param('i', $id) and
    $getstmt->execute() and
    $result = $getstmt->get_result() and
    $row = $result->fetch_assoc()
    ) {

    $name = $row['name'];
    $phone = $row['phone'];
    $phone2 = $row['phone2'];
    $email = $row['email'];
    $zipcode = $row['zipcode'];
    $address = $row['address'];
    $job = $row['job'];
    $description = $row['description'];

my database: (users)

id-   username-   password-  created-     admin-
----------------------------------------------
1       John        112      2020-12-23   2435  

cards:

id-   name-   phone-  phone2-  email-  zipcode-  address-  job-  description-  visibility-  userid-
-----------------------------------------------------------------------------------------------------
1    John      112     233    a@a.com    2435     dfdf 34.  test     uzlh           0            1

Answer 1

you are trying to match $userid with $_SESSION['id'] both of these variable pointing to same value use $_GET['id'] instead of $userid

    if( $_SESSION['id'] !=  $_GET['id']){
      header("Location: index.php");
      exit();
     }

Answer 2

Something Like that

$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");

if ($getstmt and
    $getstmt->bind_param('i', $id) and
    $getstmt->execute() and
    $result = $getstmt->get_result() and
    $row = $result->fetch_assoc()
    ) {
     if($row['userid'] == $_SESSION['id']){
        $name = $row['name'];
        $phone = $row['phone'];
        $phone2 = $row['phone2'];
        $email = $row['email'];
        $zipcode = $row['zipcode'];
        $address = $row['address'];
        $job = $row['job'];
        $description = $row['description'];
    }else{
        header("Location: index.php");
    }

}