MySQL Noob Security Question

miro

I have a 'users' table with 'id', 'user_name' & 'user_password' fields
And another table called 'images' with fields 'id', 'image_filename' & 'image_description'

I use cookies to authenticate users upon and after login.

I want the user to be able to UPDATE the 'image_description' where the image 'id' = 5

So I use UPDATE 'images' SET 'image_description' = 'newDesc' WHERE 'id' = 5

The only thing that worries me about this is that if someone was to tamper the data they could change that 'id' to a whatever they want and still pass the authentification with their own username/password and therefore change someone's elses description... What is the best practice.
I'm new to databases....

Thanks in advance

laserlight

miro wrote:
The only thing that worries me about this is that if someone was to tamper the data they could change that 'id' to a whatever they want and still pass the authentification with their own username/password and therefore change someone's elses description... What is the best practice.

Use a session. The user id can then be stored in the session, away from the tampering of the user. The user can still try and tamper with the session id, but it is more difficult to obtain the session id of another valid user.