Member Avatar for logicaweb

I'm making a B2B portal that can see just loggedin business customers that I add to base, I finished almost all, but there is one problem.
When customer add some goods to his cart, goes to checkout and confirm his order he will have a link to invoice.php?ids=156 and that will appers just in his profile and not in profile of other customers but if he change ids number like this invoice.php?ids=150 he will see content although he did not create that purchase.
This is not a big problem if someone does not try to change ids of invoice.php and compromise the privacy of another user.

As I said in the title I need to make partially page user access restrictions, to all users can see page but same page with "ids?=" can see just user that create that page.

I apologize for the bad English.

Does anyone have an idea?
Thanks in advance!

  • 2 Contributors
  • 3 Replies
  • 169 Views
  • 14 Hours Discussion Span
  • Latest Post Latest Post by urtrivedi
Member Avatar for urtrivedi

IN your sql query to load invoice details, you add one more condition to filter records based on login id.

$query="select * from invoice where invoieno='{$_GET[ids]}' and USERID='{$_SESSION['userid']}'";
Edited by urtrivedi
commented: Solved my problem. +0
Member Avatar for logicaweb

That query solved my problem. Thank you very much!
Is there any chance to insert some text in restricted access page?

Edited by logicaweb because: One more question.
Member Avatar for urtrivedi

if recordcount of query is zero then you can give message and exit page

if($row['invoiceno']!=$_GET['ids'])
{
   echo "Permission denied";
   exit;
}
commented: Thank you again! You're the no.1! :) +0
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.