Skip to main content
G
GCFI
Participant
February 17, 2007
Answered

Restrict User Access to Page in Relational Database

  • February 17, 2007
  • 1 reply
  • 401 views
I have a relational database with two tables linked on a common ID field. The logged in user can access all of their entries in the child table with simple SQL queries and then select from a list of matching records which of their records in the child table they wish to edit (i.e., the ParentTable['ID'] == ChildTable['ID']). The record is then displayed using a $_GET passed through the URL as a 'recordID' parameter. However, when the user is logged in and they access a record that matches the query, they can then type another 'RecordID' number into the URL and get access to any record in the child table whether or not they are the 'owner' of the record.

I have tried putting an equivalence statement in the user authorization code to restrict unauthorized access to child records from logged in users since the ParentTable['ID'] == ChildTable['ID'] only when logged in user accesses the records they previously created. (In other words, when a logged in user types a different 'RecordID' into the URL, the ParentTable['ID'] and ChildTable['ID] are not equivalent.) The code I entered into the user authentication generated by DW is as follows:

if ((isset($HTTP_SESSION_VARS["MM_Username"]) && ($row_ParentTable['ID'] == $row_ChildTable['ID']))) {
...

Access is still not restricted even though testing shows that the ParentTable['ID'] and ChildTable['ID'] are not equivalent

Any ideas on how to restrict access to the 'unowned' child records? I am sure it is relatively simple but I am having difficulty getting through this obstacle.

Thanks
This topic has been closed for replies.
Correct answer GCFI
Thanks, Philo. Actually I got it to work by initializing one session variable from tha parent table ID and comparing it to the child table ID variable, then using a header redirect in the event of inequality. Part of my problem was where I put the code in the page. Anyway, it now works. It seems that the answer always comes right after you post the question.

1 reply

N
Newsgroup_User
Inspiring
February 18, 2007
However, when the user is logged in and they
> access a record that matches the query, they can then type another
> 'RecordID' number into the URL and get access to any record in the
> child table whether or not they are the 'owner' of the record.
>
What about rewriting it to use session variable instead of url
passthrough?

G
GCFIAuthorCorrect answer
Participant
February 18, 2007
Thanks, Philo. Actually I got it to work by initializing one session variable from tha parent table ID and comparing it to the child table ID variable, then using a header redirect in the event of inequality. Part of my problem was where I put the code in the page. Anyway, it now works. It seems that the answer always comes right after you post the question.
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices