post query authentication [theory]
Posted: Wed Aug 22, 2007 2:52 am
Ok deal is i have a private messaging system. Now throught the "message.php" file a message is called with ?id=$messageid.
Messages are stored mysql and have the following fields.
id
author (int)
reciever (int)
message
timestamp
When a user logs into the system. He gets $_SESSION['userId'] = the users id from sql table.
So too make sure you can only access messages that you "allowed" to I'm first running the query.
SELECT * from messages where id=$id
THEN
I run the $_SESSION['userId'] to check if they are either an AUTHOR or RECIEVER to the message, if this equals true, i print out the message.
So to the point now. Is it potentially unsafe to actually run the SELECT * query and then authenticate, would be more safe to run something like:
SELECT author, reciever * ....
and then
SELECT message
?
Just a bit concerned that my current solution will be unsafe.
Thanks for any advice
Daniel
Messages are stored mysql and have the following fields.
id
author (int)
reciever (int)
message
timestamp
When a user logs into the system. He gets $_SESSION['userId'] = the users id from sql table.
So too make sure you can only access messages that you "allowed" to I'm first running the query.
SELECT * from messages where id=$id
THEN
I run the $_SESSION['userId'] to check if they are either an AUTHOR or RECIEVER to the message, if this equals true, i print out the message.
So to the point now. Is it potentially unsafe to actually run the SELECT * query and then authenticate, would be more safe to run something like:
SELECT author, reciever * ....
and then
SELECT message
?
Just a bit concerned that my current solution will be unsafe.
Thanks for any advice
Daniel