I have a relational database with two tables linked on a
common ID field. The logged in user can access all of their entries
in the child table with simple SQL queries and then select from a
list of matching records which of their records in the child table
they wish to edit (i.e., the ParentTable['ID'] ==
ChildTable['ID']). The record is then displayed using a $_GET
passed through the URL as a 'recordID' parameter. However, when the
user is logged in and they access a record that matches the query,
they can then type another 'RecordID' number into the URL and get
access to any record in the child table whether or not they are the
'owner' of the record.
I have tried putting an equivalence statement in the user
authorization code to restrict unauthorized access to child records
from logged in users since the ParentTable['ID'] ==
ChildTable['ID'] only when logged in user accesses the records they
previously created. (In other words, when a logged in user types a
different 'RecordID' into the URL, the ParentTable['ID'] and
ChildTable['ID] are not equivalent.) The code I entered into the
user authentication generated by DW is as follows:
if ((isset($HTTP_SESSION_VARS["MM_Username"])
&& ($row_ParentTable['ID'] ==
$row_ChildTable['ID']))) {
...
Access is still not restricted even though testing shows that
the ParentTable['ID'] and ChildTable['ID'] are not equivalent
Any ideas on how to restrict access to the 'unowned' child
records? I am sure it is relatively simple but I am having
difficulty getting through this obstacle.
Thanks
1 Correct answer
3
Replies
AdChoices