update form, security issue

Re: update form, security issue

>the website has a login system that authenticates the user, writes the[color=blue]
>session ID for username and goes
>
>on.
>
>The user can post, read msg he can also update the msgs that he had
>posted in the past once he is
>
>loged in.
>
>when user tries to update the msg, the script check MySql DB with
>
>select * from Msg where username = session ID
>
>suppose recorset returns msg number 1,3,5,7,9 with that perticular
>username.
>I pass the user to a page ...update.php?m sg_id=1 and the user can
>update the stuff.
>
>Everything is working fine,
>
>Problem
>
>what if the user changes the url to ...update.php?m sg_id=2[/color]

You need to check that the user has privileges to do what he's
asking before doing it (and most likely, ON THE SAME PAGE SUBMIT
as he's asking to do it). Remember that anything that comes from
the browser can be faked. Also, things may have changed since then:
you don't want the user editing a message which has already been
deleted by the moderator.

You may want to protect against two people editing the record and
stomping on each other's changes: if the ORIGINAL values for the
record (which you put on the form in hidden fields) don't match the
values in the record at the time the change is submitted, then the
record changed while it was being edited, and (depending on what
and how it changed) you may have to reject the change.
[color=blue]
>he can still update the record, what to do he has not posted msg id 2.
>what sort of method or code
>
>should i use to restrict him to the msg that he posted[/color]

There are a couple of possibilities. One is to put the qualifier
"WHERE username = sessionID" on all queries that make changes so he can't
touch records that aren't his. Another is to get the username and compare
it (in PHP) before making the change. It may seem redundant doing that
checking on two different pages, but it's not.

Gordon L. Burditt