Roy
|
| Posted: 05/30/2002, 11:58 AM |
|
I have a problem with the shopping cart of the bookstore. I am using php and mysql. As soon as you see a list of books (shoppingcart.php) you can click on details for editing order info. Hereby the order id is submitted as a parameter through the url. I can change this parameter in the url to one of a different user. This enables me too change orders of other persons. Perhaps I made a stupid mistake! Please help!
Roy!
|
|
|
 |
Nicole
|
| Posted: 05/31/2002, 3:45 AM |
|
Roy,
there're couple of ways exists:
1. use POST method to pass order_id value. Please refer to this article for the detailed description: http://www.gotocode.com/art.asp?art_id=142&
2. check the value of UserID var for logged in user and compare it to UserID value stored in orders table for passed order_id. In case they do not match e.g. redirect user to any other page. Please check on this forum for more details, I remember that this problem was discussed before.
|
|
|
|
Roy
|
| Posted: 05/31/2002, 9:28 AM |
|
Thanks Nicole,
I prefer option two, but I can't find the code for it on the forum.
I am trying the following code:
if (get_session("UserRights") <> get_param("user_id"))
header("Location: noaccess.php");
Does this code need to be put on the page open event or form open event.
Can you help further.......
Thanks
|
|
|
|
Roy
|
| Posted: 05/31/2002, 12:16 PM |
|
Thanks Nicole,
You put me in the good direction. I prefer method number two, but I can't find example code for it on the forum. I already used a redirect sometimes, but that code doesn't work in this case. Can you help me out a little bit further!
Thanks,
roy
|
|
|
|
|
