HI,
I have to write secure update record php script, here are the complete
details of the website,
the website has a login system that authenticates the user, writes the
session ID for username and goes
on.
The user can post, read msg he can also update the msgs that he had
posted in the past once he is
loged in.
when user tries to update the msg, the script check MySql DB with
select * from Msg where username = session ID
suppose recorset returns msg number 1,3,5,7,9 with that perticular
username.
I pass the user to a page ...update.php?msg_id=1 and the user can
update the stuff.
Everything is working fine,
Problem
what if the user changes the url to ...update.php?msg_id=2
he can still update the record, what to do he has not posted msg id 2.
what sort of method or code
should i use to restrict him to the msg that he posted
If you feel that i am using a bad method or my database structure
should have a new field please let me
know coz I can still make changes in DB structure as well as my
scripts we are in the somewhat initial
stage of the development of the product.
Regards
Jaunty Edward