Restrict access of user profile page to user only

Report · Jul 25, 2010

Hello,

RIght now I have made a dynamic user profile link eg. www.website.com/profile.php?id=123 which I want access only to the user with id 123, so only 123 can view and update his profile information. (and www.website.com/profile.php?id=456 can only be accessed and edited by user with id 456)

Dreamweaver's restrict access to page function only restricts page to log in, so as long as you are logged in you can view and edit any user's profile.

What do I need to do to my profile.php to restrict the page to specific logged in user?

Thanks!

Regards,

Svnelvn

Report · Jul 25, 2010

You need to test that the userid being retrieved in the query matches the logged in user id. If it does not, redirect the user.

Report · Jul 26, 2010

Think of how the user is getting to that page - is it through a "My Profile" type link, or is it from a list of users?

If it's a My Profile link, then the profile being displayed is already based on that User ID and you could protect it with Logon only. If it's from a list of users, then you may want to rethink why you're showing a list of users where each user can only get to his own profile page - unless there's a "public" portion of a user's profile.

In Response To Lon_Winters · Jul 26, 2010

>If it's a My Profile link, then the profile

>being displayed is already based on

>that User ID and you could protect it

>with Logon only

Lon, I would worry about a valid user logging on and then switching to another user's profile by editing the querystring. To prevent this, I would not allow a profile to be retrieved from a querystring. I think the safest is to use the userid stored in the session to retrieve and edit any personal data.