Can you use a cookie to limit what mySQL row somebody can edit?

gopanthers

I have a bit of simple code I used successfully on a past website to allow me to edit the data in a simple database via an HTML page. At first it lists every person (row) in my database, but then when I click on the name it allows me to edit that person's personal info (the rest of the data in that row). This is done by "passing along" the user ID in the url, like http://website.com/thispage.php?id=321. Here's the code if it helps.

<?php

$db = mysql_connect("localhost", "USER", "PASSWORD"); 
mysql_select_db("DATABASE",$db);

if ($id) {
  if ($submit) {
    $sql = "UPDATE alumni SET firstname='$firstname', lastname='$lastname', maidenname='$maidentname', classyear='$classyear', city='$city', state='$state', country='$country', 
position='$position', employer='$employer', phone='$phone', email='$email', aim='$aim', icq='$icq', yahoo='$yahoo', website='$website', fund='$fund', donate='$donate' WHERE id=$id";
    $result = mysql_query($sql);
    echo "Thank you! Information updated.\n";
  } else {
    // query the DB
    $sql = "SELECT * FROM alumni WHERE id=$id";
    $result = mysql_query($sql);	
    $myrow = mysql_fetch_array($result);
    ?>

<p>Last Updated: <?php echo $myrow["lastupdated"] ?></p>

<form method="post" action="<?PHP echo $PHP_SELF?>"> 
<input type=hidden name="id" value="<?php echo $myrow["id"] ?>">
First Name: <input type="Text" name="firstname" value="<?php echo $myrow["firstname"] ?>"><br> 
Last Name: <input type="Text" name="lastname" value="<?php echo $myrow["lastname"] ?>"><br>
Maiden Name: <input type="Text" name="maidentname" value="<?php echo $myrow["maidenname"] ?>"><br> 
Class: <input type="Text" name="classyear" value="<?php echo $myrow["classyear"] ?>"><br> 
City: <input type="Text" name="city" value="<?php echo $myrow["city"] ?>"><br> 
State: <input type="Text" name="state" value="<?php echo $myrow["state"] ?>"><br>
Country: <input type="Text" name="country" value="<?php echo $myrow["country"] ?>"><br> 
Position: <input type="Text" name="position" value="<?php echo $myrow["position"] ?>"><br> 
Employer: <input type="Text" name="employer" value="<?php echo $myrow["employer"] ?>"><br>
Phone: <input type="Text" name="phone" value="<?php echo $myrow["phone"] ?>"><br> 
E-mail: <input type="Text" name="email" value="<?php echo $myrow["email"] ?>"><br> 
AIM: <input type="Text" name="aim" value="<?php echo $myrow["aim"] ?>"><br> 
ICQ: <input type="Text" name="icq" value="<?php echo $myrow["icq"] ?>"><br> 
Yahoo: <input type="Text" name="yahoo" value="<?php echo $myrow["yahoo"] ?>"><br> 
Website: <input type="Text" name="website" value="<?php echo $myrow["website"] ?>"><br>
<input type="Submit" name="submit" value="Process Information"> 

<?php
}
} else {

  // display list of alumni
  $result = mysql_query("SELECT * FROM alumni ORDER BY lastname",$db);
  while ($myrow = mysql_fetch_array($result)) {
    printf("<a href=\"%s?id=%s\">%s %s</a><br>\n", $PHP_SELF, $myrow["id"], $myrow["lastname"], $myrow["firstname"]);
  }
    echo "<p>If new entry, <a href=\"new.php\">click here</a>\n";
}
?>

That works fine for me if I'm the only one with access to this update page, but I'd really like to allow people to update their own information themselves. To do that, I can't use any method that depends on a user's ID being in the URL because even if this page didn't display links to everybody first, anybody could still just type in any random number to the id=321 part and easily meddle with somebody else's personal info.

So is it in any way possible to use a cookie to specify which one user's data (row) can be updated by this code? In my situation, anybody coming to this form should already be logged in as a user on my website (unrelated to this database), and should have a cookie that includes their username. If I add another field to each database row that contains that user's website username, is there a way that I can modify this code above (or make new code) to somehow say "since this person is already logged in as 'joe-schmoe', here's the HTML to let them edit only their own database information (the data in the row that already contains 'joe-shmoe' listed as their website username)."???

bradgrafelman

Considering a cookie can be altered just like the URL can be, I don't see how that's any more secure.

Why not simply use the URL-based version and, when the form is submitted, verify that the user logged in has permissions to alter the data submitted?

gopanthers

Anybody on this website is completely not knowledgeable enough to even know how to hack a cookie, plus they're all trusted enough not to want to do that, so serious security isn't really an issue for me. That said, if it were as simple and obvious as just changing a few numbers in the URL to mess with somebody else's data just for fun, they are childish enough for that.

But I'm intrigued by your notion about using the URL based updating but verifying their permission to edit that line of data based on a cookie. Again, I don't need to set any cookies - there should already be one particular cookie set on their browser. But how could I do this "verify permission by cookie" thing?

Thanks

laserlight

gopanthers wrote:
Anybody on this website is completely not knowledgeable enough to even know how to hack a cookie, plus they're all trusted enough not to want to do that, so serious security isn't really an issue for me.

If that is true, that you should have no worries that "anybody could still just type in any random number to the id=321 part and easily meddle with somebody else's personal info".

dalecosp

I'd suggest using [man]sessions[/man] instead ... which is basically a cookie stored on the server where people can't play with them. Keeps data out of the URI as well, so no worries there.

And yes, I've used cookies before to keep people from changing DB entries:

Me:  Bob, would you mind not inserting crap into the DB when you shell in tomorrow?
Bob:  What's in it for me, dweeb?
Me:  Here, have a cookie ....