Good morning,
I am building a site for a client and I have come across a huge issue. I am allowing a public search where the user can select the search field from a dropdown and then input the search value in an input field. The SQL query runs and sends retunrs results. The unregistered user can then select to view the details for that particular user by clicking on view. Now obviously clicking on the view (link) they are redirected to another page using php.
> <td><a href='http://localhost/mygiftsite/pub_list_view.php?user=<?php echo $user_id;?>'>View</a></td>
This produces the following URL: http://localhost/mygiftsite/pub_list_view.php?user=1
. This page then displays all the lists that are made public by that particular registered member. The unregistered user can then view those lists by clicking on any of the fields and that redirects to http://localhost/mygiftsite/pub_item_view.php?list=9
.
My problem is that a user can just change the value of the list variable/index in the url to view lists for other users and lists with a privacy setting of private which should not be allowed. Just to clarify, the list has a privacy field not the user. The registered user decides to either keep a list private or to make a list public. Public lists should be accessible via a member search and private list should not be able to display. I stopped users from accessing pages without being logged in using the following code:
<?php
session_start();
if(!isset($_SESSION['userid'])){
header("location: http://localhost/mygiftsite/login.php");
}
?>
But I want to allow unregistered users to search and view public lists. Please can you help me resolve this issue.
- Is it possible to "hide" the variable so the value cannot be changed?
- How do I stop users from simply changing the value of the list variable by simply clicking in the URL
- If they change the value by simply changing the URL how do I protect my user's list should the privacy be set to private?
- I do not want to go the .htaccess method as you can still simply change the parameter value.
My main concern is that a parameter can simply be changed in the address bar. How do I stop this from happening?