Currently I am using session variables to determine who is viewing the website and then matching the users session name vs the profile name being viewed. If these match then the profile will be editable (since it is their profile).
I am using:
$pid = $_GET['pid']; // Profile being viewed
$edit = $_GET['edit']; // true/false for editing
$username = $_SESSION['username'];
$pclass = new user_profile($db, $pid, $username);
$pclass just takes my database connection, profile that is being viewed and the user viewering.
class user_profile {
private $db;
private $viewer;
public function __construct(\database $db, $pid, $viewer) {
$this->db = $db;
$this->username = $pid;
$this->viewer = $viewer;
}
}
for displaying the edit button and then allowing the user to view the edit page I use a method myProfile() which is simply:
public function myProfile() {
if($this->username === $this->viewer) {
return true;
}
else {
return false;
}
}
Is this a secure enough way to stop users editing other peoples profiles or is there another way around it how this should be done?
Given the information that you supplied, this is a secure way of doing this.
$_SESSION is something you control on the server, and can't be modified by the user.