i'm a newbie and I just built a CRUD system but its not secure at all. The edit page has the ID number in the URL and users can simple just randomly type ID's to access other records in the database.
http://example.com/example_edit.php?id=2
<?php
include_once("connection.php");
$result = mysqli_query($mysqli, "SELECT * FROM mkregistrationchecklists WHERE login_id=".$_SESSION['id']." ORDER BY id DESC");
?>
<tbody>
<?php
while($res = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>".$res['id']."</td>";
echo "<td><span class='label ".$res['labelwarning']."'>".$res['status']."</span></td>";
echo "<td>".$res['todaysdatetime']."</td>";
echo "<td>".$res['tag']."</td>";
echo "<td>".$res['serialnumber']."</td>";
echo "<td>".$res['currentequipment']."</td>";
echo "<td>".$res['company']."</td>";
if ($res['status'] == "Submitted") {
echo "<td><a href='page_read.php?id=$res[id]' class='btn btn-default glyphicon glyphicon-eye-open'></a></td>";
} else{
echo "<td><a href=\"page_edit.php?id=$res[id]\" class='btn btn-default fa fa-pencil-square'></a> | <a href=\"page_delete.php?id=$res[id]\" class='btn btn-danger fa fa-trash' onClick=\"return confirm('Are you sure you want to delete?')\"></a></td>";
}
echo "</tr>";
}
?>
</tbody>
What is the best approach in securing this?
Should i encrypt like this?
$secure_id = $_GET['id'];
$decryped_id = base64_decode($secure_id);
I updated my code, im saving the records according to the login_id but it still looks unprofessional with the id tag in the urls.
You have to add user / record owner unique identification into all SQL queries, typically :
$query = "SELECT * FROM table WHERE id = 1 AND user_id = 2";
with this approach you can be sure that user access only his records. Id of logged in user can be placed somewhere in SESSION.
Hiding or hashing ids is not recommended, it's a anti-pattern and security through obscurity.