Security bug?

This topic is locked

Security bug?	11/14/2007 7:20:35 PM
PHPRunner General questions
F Fawaz author When I use the security users can see and edit other users data For id=x on the edit page I have profile_edit.php?editid1=x If someone changes the URL to profile_edit.php?editid1=y then he will be able to edit profile y. How do I prevent that? I am using the security users can only see and edit their own data When I login with id=x on the edit page I reach profile_edit.php?editid1=x For id=x on the edit page I have profile_edit.php?editid1=x If someone changes the URL to profile_edit.php?editid1=y then he will get new empty fields where he can enter some data. How do I prevent that? Please advise. Thanks, Fawaz

Mark as Solved Mark as not solved

3 replies


	Alexey admin 11/15/2007
	Fawaz, 1. When I use the security users can see and edit other users data What exactly would you like to prevent here ? 2. I am using the security users can only see and edit their own data No data will be displayed and no data will be written to the database in this case. So there is no vulnerability here.


F	Fawaz author 11/15/2007
	Fawaz, What exactly would you like to prevent here ? No data will be displayed and no data will be written to the database in this case. So there is no vulnerability here. Alexey, For 1. When I use the security users can see and edit other users data If someone changes the URL from profile_edit.php?editid1=x to profile_edit.php?editid1=y then he will be able to edit profile y. How do I prevent that? I don't want anyone to change the url and retrive the data. Thanks Fawaz


	Alexey admin 11/15/2007
	Fawaz, I don't want anyone to change the url and retrive the data You can not prohibit users modifying URLs. Choose "Users can see and edit their own data" security mode to hide the data.

3 replies

Mark as Solved Reply