⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠
Posted 09 April 2013 - 19:37 PM
When I set
$crud->where("id",$id);
Only the list gets filtered by the where.
I can still edit any number with an id other than the one specified by typing:
/edit/<any number here>
Ex.
index.php/main/pets/edit/5
So if you use the where clause to try to limit the users from editing what they shouldn't, you're gonna have a hard time.
Please fix this asap.
Hackers gonna hack.
Posted 09 April 2013 - 21:53 PM
I only use GC for the admin panel.
You need to chek the user's data ) it's the main rule in programming ))
it's not bug. because hacker can try this:
list: index.php/main/1/
index.php/main/pets/edit/5
does not work... mhhh
try this list: index.php/main/2/
index.php/main/pets/edit/5
does not work... mhhh
try this list: index.php/main/3/
index.php/main/pets/edit/5
oh )) yes )) it's working nice.
you need to check user's data before gc initialization
Posted 09 April 2013 - 22:54 PM
As [member=Victor] said the very first thing you do on your controller is to check which user is logged in or not.
Then you decide what to do with his request!
Posted 10 April 2013 - 04:39 AM
My program allows users to edit their own profile.
Which means
index.php/main/pets/edit/5 must be allowed.
but
index.php/main/pets/edit/4 mustn't,
How can I get GC to not allow index.php/main/pets/edit/4 ?
In other words, how can I get the value which the URL says to edit so I can compare it with the login users' id?
Posted 10 April 2013 - 09:03 AM
Since this is a user application, somehow you let them login.
When they are logged in by default you get their user->id, so
if $this->uri->segment(3) == $user->id then allow the edit
http://ellislab.com/codeigniter/user-guide/libraries/uri.html