Search the Community
Showing results for tags 'session variable'.
-
Hello, I have studied the method presented in chapter 10 for viewing, editing, and deleting users. However, I am a bit concerned about when a user clicks the link to edit or delete, the user ID is passed via the URL to another page. Ex here: [from view_users.php] <td align="left"><a href="edit_user.php?z=' . $id . '">Edit</a></td> <td align="left"><a href="delete_user.php?z=' .$id . '">Delete</a></td> I have found that I can simply change that ID value and perform an edit or delete on another user. This is a concern especially if that user is not authorized to make that edit or deletion. I believe this example is meant for an admin, but I want to pass this functionality a level below to a group leader that can manage their users. My question for the forum is how could this method be made more secure? I've been racking my brain on this can and can't seem to figure out the best approach. I know passing session variables to the edit and delete scrips would be most secure, but how can I bind the selection of a user (and their respective ID) from a row of names to a specific session variable and then call on that session variable from the edit and delete.php scripts to perform the edit or deletion? I appreciate any thoughts. Thanks,