Ok deal is i have a private messaging system. Now throught the "message.php" file a message is called with ?id=$messageid.
Messages are stored mysql and have the following fields.
id
author (int)
reciever (int)
message
timestamp
When a user logs into the system. He gets $_SESSION['userId'] = the users id from sql table.
So too make sure you can only access messages that you "allowed" to I'm first running the query.
SELECT * from messages where id=$id
THEN
I run the $_SESSION['userId'] to check if they are either an AUTHOR or RECIEVER to the message, if this equals true, i print out the message.
So to the point now. Is it potentially unsafe to actually run the SELECT * query and then authenticate, would be more safe to run something like:
SELECT author, reciever * ....
and then
SELECT message
?
Just a bit concerned that my current solution will be unsafe.
Thanks for any advice
Daniel
post query authentication [theory]
Moderator: General Moderators
- stereofrog
- Forum Contributor
- Posts: 386
- Joined: Mon Dec 04, 2006 6:10 am
what's wrong with
where $id and $user_id are properly prepared, e.g. converted to int.
Code: Select all
select * from messages
where id=$id and $user_id in (author, receiver)