recordID= url protection (php / Mysql)

Hi,

I'm not on a tight deadline and would like to get this working.

To start with, these are my database tables:

user_tbl

user_UID             client_ID             username           password            access_level

1                              1                              joe             bloggs                 member

2                              1                              fred            smith                   member

3                              2                              john           edwards               member

4                              3                              lee             jones                   member

client_tbl

client_UID          client_name

1                        company A

2                        company B

3                        company C

install_tbl

Install_UID         client_ID             job_number      site_name          install_date

1                              1                   123456               London               2010-10-01

2                              2                   321456               Birmingham        2010-05-12

3                              2                   123145               Glasgow             2010-01-05         

4                              3                   789745               Newcastle          2010-03-07

I have created and saved a query (qry_satnote) in phpmyadmin that filters the install records by client, and then matches up with the corresponding user.

So basically it does this:

'joe bloggs' sees install records from 'company A'

'fred smith' sees install records from 'company A'

'john edwards' sees install records from 'company B'

'lee jones' sees install records from 'company C'

----------------------------------------------------------------------------------------------------------------------------------------

Index.php

Users log in on this page via the 'log in user' server behaviour - validated using the 'username' and 'password' column from the 'user_tbl'

----------------------------------------------------------------------------------------------------------------------------------------

Every page from here has the ‘restrict access to page’ behaviour set to ‘member’

Sites_list.php

This is the landing page if login details are accepted.

This page displays a list of installs for this client. Each with a hyperlink to the detail page for the selected record - I've included the hyperlink next to each record for reference.

The data is brought through by a recordset using these settings:

Recordset name:

rsLatestProjects

SELECT *

FROM qry_satnote

WHERE username = colname

Name: colname

Type: text

Default value: -1

Run time value: $_SESSION['MM_Username']

Job number   site name     Details

123456            London          view (search_results_detail.php?recordID=1)

321456            Birmingham   view (search_results_detail.php?recordID=2)

123145            Glasgow        view (search_results_detail.php?recordID=3)

789745            Newcastle     view (search_results_detail.php?recordID=4)

The full code for the 'view' hyperlink is:

search_results_detail.php?recordID=<?php echo $row_rsLatestprojects['install_UID']; ?>

-------------------------------------------------------------------------------------------------------------------------------------

Search_results_detail.php

This page display the full details for the chosen record.

This is where the problem occurs as I can change the  recordID= number in the url and see records for other clients.

Recordset name:

DetailRS1

SELECT *

FROM qry_satnote

WHERE install_UID = colname

Name: colname

Type: numeric

Default value: -1

Run time value: $_GET['recordID']

------------------------------------------------------------------------------------------------------------------------------------

I hope I’ve been clear in what I’ve written, if you need to see any code let me know.

Thanks very much for your help.

So in effect it'll be acting as a double authentication?

This is the sql statement for qry_satnote

SELECT user_tbl.user_UID, user_tbl.username, user_tbl.password, user_tbl.access_level, client_tbl.client_name, install_tbl. *
FROM client_tbl JOIN user_tbl JOIN install_tbl
ON client_tbl.client_UID = install_tbl.client_ID AND user_tbl.client_ID = install_tbl.client_ID

Sorry, I've made a correction to the sites list.php page, I didn't explain  that the logged in user can only see a list of their sites and not  anyone else's.....

So for example if John Edwards logs in, he can only see a list of his sites:

Job number   site name     Details

321456            Birmingham   view (search_results_detail.php?recordID=2)

123145            Glasgow        view (search_results_detail.php?recordID=3)

When clicking through to the search_results_detail.php page that is where I can change the recordID number to see other clients records.

Store the userId in a session variable and include that in the SQL query. If the visitor changes the query string to a recordID that their userId is not linked to, the results will be empty.

Or, do what shocker suggested and include the user id, as well as another value that is linked to the user id, in the querystring - making it very difficult for someone to guess.

321456            Birmingham   view (search_results_detail.php?recordID=2&userID=100&userKey="ghH396skwferg34")

You could also encrypt the entire querystring making it more difficult to hack.

I think that using the session variable is the easiest and should be secure enough.