Page 1 of 1

post query authentication [theory]

Posted: Wed Aug 22, 2007 2:52 am
by stakes
Ok deal is i have a private messaging system. Now throught the "message.php" file a message is called with ?id=$messageid.

Messages are stored mysql and have the following fields.

id
author (int)
reciever (int)
message
timestamp

When a user logs into the system. He gets $_SESSION['userId'] = the users id from sql table.

So too make sure you can only access messages that you "allowed" to I'm first running the query.

SELECT * from messages where id=$id

THEN

I run the $_SESSION['userId'] to check if they are either an AUTHOR or RECIEVER to the message, if this equals true, i print out the message.

So to the point now. Is it potentially unsafe to actually run the SELECT * query and then authenticate, would be more safe to run something like:

SELECT author, reciever * ....

and then

SELECT message

?

Just a bit concerned that my current solution will be unsafe.

Thanks for any advice

Daniel

Posted: Wed Aug 22, 2007 3:02 am
by stereofrog
what's wrong with

Code: Select all

select * from messages
   where id=$id and $user_id in (author, receiver)
where $id and $user_id are properly prepared, e.g. converted to int.

Posted: Wed Aug 22, 2007 3:12 am
by stakes
If only i knew SQL better.. hehe

Thanks!