update form, security issue

HI,
I have to write secure update record php script, here are the complete
details of the website,

the website has a login system that authenticates the user, writes the
session ID for username and goes

on.

The user can post, read msg he can also update the msgs that he had
posted in the past once he is

loged in.

when user tries to update the msg, the script check MySql DB with

select * from Msg where username = session ID

suppose recorset returns msg number 1,3,5,7,9 with that perticular
username.
I pass the user to a page ...update.php?msg_id=1 and the user can
update the stuff.

Everything is working fine,

Problem

what if the user changes the url to ...update.php?msg_id=2

he can still update the record, what to do he has not posted msg id 2.
what sort of method or code

should i use to restrict him to the msg that he posted

If you feel that i am using a bad method or my database structure
should have a new field please let me

know coz I can still make changes in DB structure as well as my
scripts we are in the somewhat initial

stage of the development of the product.

Regards
Jaunty Edward

>the website has a login system that authenticates the user, writes the
>session ID for username and goes
>
>on.
>
>The user can post, read msg he can also update the msgs that he had
>posted in the past once he is
>
>loged in.
>
>when user tries to update the msg, the script check MySql DB with
>
>select * from Msg where username = session ID
>
>suppose recorset returns msg number 1,3,5,7,9 with that perticular
>username.
>I pass the user to a page ...update.php?msg_id=1 and the user can
>update the stuff.
>
>Everything is working fine,
>
>Problem
>
>what if the user changes the url to ...update.php?msg_id=2

You need to check that the user has privileges to do what he's
asking before doing it (and most likely, ON THE SAME PAGE SUBMIT
as he's asking to do it). Remember that anything that comes from
the browser can be faked. Also, things may have changed since then:
you don't want the user editing a message which has already been
deleted by the moderator.

You may want to protect against two people editing the record and
stomping on each other's changes: if the ORIGINAL values for the
record (which you put on the form in hidden fields) don't match the
values in the record at the time the change is submitted, then the
record changed while it was being edited, and (depending on what
and how it changed) you may have to reject the change.

>he can still update the record, what to do he has not posted msg id 2.
>what sort of method or code
>
>should i use to restrict him to the msg that he posted

There are a couple of possibilities. One is to put the qualifier
"WHERE username = sessionID" on all queries that make changes so he can't
touch records that aren't his. Another is to get the username and compare
it (in PHP) before making the change. It may seem redundant doing that
checking on two different pages, but it's not.

Gordon L. Burditt