I have an action in file viewreport it is about ticket:
if(isset($_GET['closeticket']) == 'true')
{
$db->query("update tickets set status='Closed' where id='$id'");
header("Location: viewreport?id=".$id."");
But even an user can close a ticket that doesn't belong to him via url. So i want to block direct url action.
Here is the action
a href "viewreport?closeticket=true&id= <?php echo $id;?>" class="btn btn-danger" id="">Close</a>
You should check if this operation belongs to the user via sessions or cookies.
it must be something like this
if($_SESSION["group"] == "Admin" ){
// update operation.
}
I hope this would be helpful for you.
You should check if the user is allowed closing that report, before executing.
Thus something like:
if(isset($_GET['closeticket']))
{
$userIsAllowed = true; // your magic here
if ($userIsAllowed) {
$db->query("update tickets set status='Closed' where id=" . $db->quote($id));
header("Location: viewreport?id=".$id."");
} else {
echo "You're not allowed closing this ticket";
}
}
Make sure to properly escape your queries as mentioned in the comments (by chelmertz)