I have a page that is drawing information from 1 table via an Id#.
I want to prevent someone from "guessing" a number for the id and inputting into the url.
example:
test.php?id=2 is valid (so it takes give you the correct information)
but i want to prevent someone from typing:
test.php?id=200 which is not valid, since the id doesn't exist in the DB (hence causing the script to not display correctly)
Currently I have this on test.php:
if (! ((preg_match("/^\d+$/",get_param("id"))) and get_db_value("SELECT id FROM table WHERE id=".get_param("id"))))
{
header("Location: testpage.php");
exit;
}
Which does the above as the way I want it to....
and here's the "but".
I have a total of 6 records ( this will not change )
For this page though, I only want records 4-6 to be only accessible, and still return them to testpage.php if they try to input id=1 or id=200. So the only "valid" id's for test.php to give information for is id=4, id=5 and id=6
What should I change?
