I have this query below:
// They have a token and estimate id
if (isset($_GET['estimate_token']) && isset($_GET['estimate_id']))
{
if ($select = $db -> prepare("SELECT estimate_id FROM estimates WHERE estimate_token =?"))
{
$select -> bind_param('s', $_GET['estimate_token']);
$select -> execute();
$select -> store_result();
$select -> bind_result($estimate_id);
$select -> fetch();
if ($select -> num_rows == '0')
{
header ("Location: ./login.php");
}else{
}
$select -> close();
}
}
Customers are given a link via email with the token and an estimate id from the database. When they click the link it brings them to the correct estimate. The problem I am having is that if the customers manually replaces the estimate_id or estimate_token with any number in the url it still keeps you on the website where it should kicking you to the login.php. This is bad because it allows customers to view other estimates in the system.
I think the problem lies in the $select -> num_rows
throwing a false positive.