0

I have a get edit button; <a href="edit_leave.php?delete=id); ?>,linking to an edit page. My problem is that have noticed user can edit other leave-types by just changing the id on the link; https://www.website.com/edit_leave.php?edit=11.

I have tried adding this script on top of the page:

<?phpif ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );die( header( 'location: /404.php' ) );}?>.

How can i prevent this edit via URL?

DarkBee
  • 16,592
  • 6
  • 46
  • 58
Eliud Karanja Ndiritu
  • 17
  • 4
  • 1
    Do these user have access to the item they are accessing? If not then you should write extra code to check if an user is authorized to edit/delete an item – DarkBee Dec 21 '22 at 06:11
  • Please refer the following answer https://stackoverflow.com/questions/33999475/prevent-direct-url-access-to-php-file – HARINDA VITHANA Dec 21 '22 at 06:16
  • @HARINDAVITHANA OP already saw that question as the snippet posted is an exact copy of one of the answers – DarkBee Dec 21 '22 at 06:19
  • @DarkBee My bad for not noticing. Apologies. – HARINDA VITHANA Dec 21 '22 at 06:27
  • No problem, just pointing out – DarkBee Dec 21 '22 at 06:35
  • my problem is that despite adding the scripts i can still change the id and edit form linked to the id. am running on localhost – Eliud Karanja Ndiritu Dec 21 '22 at 07:39
  • Well yeah, from what I can tell the initial questions uses mod_rewrite before executing the scripts. Did you read my initial comment? – DarkBee Dec 21 '22 at 07:58
  • I'm not sure I get this question. Do you a proper authentication/authorisation system in place? There's no way to discriminate access without that, unless you have a static IP address and you want to base it on that. – Álvaro González Dec 21 '22 at 08:36
  • authorization and authentification are in place. let me give an example. i have applied for a leavetype eg. annual leave, i have an option to cancel leave i.e href="index.php?cancel=id); ?>. then there is a condition to hide the cancel button.. but a user can still access the leave via address bar using the link. – Eliud Karanja Ndiritu Dec 21 '22 at 09:09
  • So you already have the logic built, currently used to decide if the button must be shown. Use that same logic to decide if the cancellation can be processed. – Álvaro González Dec 21 '22 at 09:32
  • ` – mickmackusa Jan 03 '23 at 00:57

0 Answers0