I got another problem and i think i will explain it in a bad way so ill try make it clear, ill start off by explaining the process of this part of the site.
1. User submits proof to database, attached to the proof is job ID
2. User goes to myjobs.php where the database queries all jobs with there user id matching( so only the jobs they created are viewed), there is then a link to jobproof.php
3. jobproof.php then queries the table "proof" for all records with the current job ID
4. The url is then like jobproof.php?ID=21
So now is displayed all the proof what is for job id 21 and the creator of job 21 can view this by going to myjobs.php then going to jobproof.php?ID21.
This works fine but there is a problem.... Any user can then type jobproof.php?ID=21 and view all the records.
The way i think to stop this is by only allowing the jobproof.php page to be accessed by myjobs.php
I dont know if theres a more effective way or im making the structure of this wrong. I didnt think of this problem before i started this part of the site.
This is the first part of jobproof.php, this gets all the proof records for that particular jobID.
Code: Select all
# connect to the database
mysql_connect(asdasdasd3');
mysql_select_db('asdasdasd');
session_start();
$my_id = trim (' ' . @$_GET['ID']) ; // will always return a result -- uses '
// sanitize/ clean data value: check for integer value, generate the corresponding string
if ('' < $my_id) { $my_id= (int) $my_id; // extract integer value -- uses '
if ( 0 == $my_id) { $my_id= ''; //handle as empty -- uses '
} else $my_id = "$my_id"; // uses "
}
if ('' == $my_id) { //handle the case where no ?ID= present
} else { //we have a ID=some integer >0
$result = mysql_query("SELECT * FROM `proof` WHERE job_id = '$my_id'") // This will return one result
or die(mysql_error());
}
// START AN OUTPUT TABLE