is it a security risk to have the post id # in the address bar when allowing others to edit content?

I am using this edit form to let users edit their posts/notes etc. And the way i have it is this way:

 www.domain.com/editpost.php?id=390Adkw

So if someone plays around and changes the "390Adwk" to something like "390dkjdkljfld" it will mess up the content or worse yet, it wil开发者_StackOverflow社区l change someone elses content.

It will mess up because when i will do update it will be something like: Update this where id=id and it might get messed up.

So what is one way to prevent this using php?

Within the editpost page you need to do two things. During the GET request you need to check whether or not the particular user requesting that id has access to it.

During the POST, you again need to check whether or not that particular user has the rights to edit it.

In short, don't trust that just because they passed an ID in that they have any rights to do anything with that ID.

Do not trust user's input. Always check user's permission server-side and if they're not permitted to change it, don't allow them to do so

You will need to embed the id somewhere anyway. The URL is as good a place as any. You need to have server-side checks in place that make sure a user can only edit what he's allowed to. If you do, there's no difference between the user manipulating the id directly and navigating to the record by hand and hitting the Edit button. I.e. he could edit the record either way.

In your database, you need to link that post, comment, etc to the user that made that post. Then when sending that request check if the user that wants to edit the post is the one that created it or check if he has enough rights to edit said post.

If the user messes with the post variables, running that check will make it harder for those posts to be edited by unwanted users.