Restrict direct access to related records

My project allows users to create orders, view and print them. I am using sessions to only allow them to only see their records in the database. I have a table that displays their orders and within that table there is a link that will allow them to view the order details. It users a different parameter and appends that to the URL address to distinguish which record they need to view. However, if the user directly changes the order number, they will be able to access the record that is related to a different user. Not what I want them to be able to do.
Any advice on how I can restrict users to only be able to view records related to them.
I have a User table with userEmail and Password. OrderDetail table has customerID against OrderID.
The session variable I am using uses their email address.

Hi cracker,

You mention two tables: A user table with userEmail and Password, and OrderDetail with customerID and OrderID. You also mention that you are using a $_SESSION variable to track their email address.

You need a way to link their email address to their order details, or else you need to use the customerID instead of email address in your $_SESSION. Without knowing anything else, I believe this is the best way to go.

I am assuming you are running a query against the database with the record number (in a $_GET variable). It sounds like you are currently doing something like [php]“SELECT * FROM OrderDetail WHERE OrderID = $_GET[‘orderID’]”[/php]
What you want to do is something like [php]“SELECT * FROM OrderDetail WHERE OrderID = $_GET[‘orderID’] AND customerID = $_SESSION[‘customerID’]”[/php]

I realize that this makes a lot of assumptions, if you could provide more details regarding the columns that are available in your tables, or your code; I would be glad to provide more detailed assistance.

Hi malasho,
Thanks for the reply. Here’s some more useful info…maybe

Client Table
ClientID
Email
Password

There are other fields that I grab when user fills out form but these, I think are the important ones.

OrderDetail Table
OrderDetailID
ClientID

More fields also in the table like PartID, PartDescription, Qty etc.

I was using the Email field as this is the field the user uses to log in to verify them. I have assigned that to the $_SESSION variable. Not sure if I can or how to assign the ClientID to the $_SESSION variable after they have logged in. If I can, maybe that would be better?

I have an OrderSearch page that shows all the users current orders in a table. This table has OrderNumber, OrderDate and CustomerName.
The OrderNumber field is a link to the OrderDetails page. Each row in this table has a different URL address eg:
a href=“CustomerOrderDetails.php?recordID=<?php echo $row_Orders['OrderNumber']; ?>” Clicking on this link works as I want, except for this security issue I’m trying to overcome.

I’ll try editing the query statement. That might do the trick. If there’s other places I should look in your advice would be helpful, but you may have to speak slowly so I don’t get too lost in the code.

Regards…cracker

Hi malasho,
Can you explain how I re-assign my $_SESSION variable? I think I should look right at the beginning in the login page?
Would that be right?

Here is some code from the login page
if (isset($_POST[‘ClientEmail’])) {
$loginUsername=$_POST[‘ClientEmail’];
$password=$_POST[‘ClientPassword’];

if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
//declare two session variables and assign them
$_SESSION[‘MM_Username’] = $loginUsername;

As you see I am using Dreamweaver. Some of its code is a bit hard from me to follow.

cracker

Hi malasho,
This is my query
[php]$query_Orders = sprintf(“SELECT * FROM tbl_OrderDetails WHERE OrderNumber = %s”, GetSQLValueString($colname_Orders, “text”));
$Orders = mysql_query($query_Orders, $Product) or die(mysql_error());
$row_Orders = mysql_fetch_assoc($Orders);
$totalRows_Orders = mysql_num_rows($Orders);[/php]

This is generated by Dreamweaver so I am not familiar with the %s part. Can you shed some light? I guess it’s a variable coming from somewhere.

malasho,
I figured it out. Thanks for the help. Your comments made me look deeper into my code and put my thinking cap on.
I can now move onto the next hurdle.
cracker

Glad you got it figured out. I had posted just before going to bed and apologize that I didn’t see any of your followup messages until now. Feel free to let me know if you run into any other issues.

Sponsor our Newsletter | Privacy Policy | Terms of Service