Stuart Felenstein wrote:
I'm still confused over one aspect of URL parameters.
As far as a form passing data back to the server, I
understand about get, post and replace.

Here is my problem.
I have an update form. User is logged in to the
system and needs to update whatever information.
Right now I'm including in the link the user's ID, so
when they arrive at the update page, their record will
be displayed.
The problem is all one has to do is change the ID
number in the URL parameter in the update page and you
can go to someone else's record.

How do programmers generally get around this ? I must
be missing something.

How do you identify the user once they are logged in? There should be some way to relate the logged in user to valid records they can see. Then, if they request an invalid record, you can show them an error page. Hiding the ID isn't going to fix anything.


---John Holmes...

Amazon Wishlist:

php|architect: The Magazine for PHP Professionals –

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to