i'm a newbie and I just built a CRUD system but its not secure at all. The edit page has the ID number in the URL and users can simple just randomly type ID's to access other records in the database.
http://example.com/example_edit.php?id=2
<?php
include_once("connection.php");
$result = mysqli_query($mysqli, "SELECT * FROM mkregistrationchecklists WHERE login_id=".$_SESSION['id']." ORDER BY id DESC");
?>
<tbody>
<?php
while($res = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>".$res['id']."</td>";
echo "<td><span class='label ".$res['labelwarning']."'>".$res['status']."</span></td>";
echo "<td>".$res['todaysdatetime']."</td>";
echo "<td>".$res['tag']."</td>";
echo "<td>".$res['serialnumber']."</td>";
echo "<td>".$res['currentequipment']."</td>";
echo "<td>".$res['company']."</td>";
if ($res['status'] == "Submitted") {
echo "<td><a href='page_read.php?id=$res[id]' class='btn btn-default glyphicon glyphicon-eye-open'></a></td>";
} else{
echo "<td><a href=\"page_edit.php?id=$res[id]\" class='btn btn-default fa fa-pencil-square'></a> | <a href=\"page_delete.php?id=$res[id]\" class='btn btn-danger fa fa-trash' onClick=\"return confirm('Are you sure you want to delete?')\"></a></td>";
}
echo "</tr>";
}
?>
</tbody>
What is the best approach in securing this?
Should i encrypt like this?
$secure_id = $_GET['id'];
$decryped_id = base64_decode($secure_id);
I updated my code, im saving the records according to the login_id but it still looks unprofessional with the id tag in the urls.