For instance .. mywebsite.com/file.php?action=pending&do=details&orderid=10
Anyone with permission to centraladmin.php profile or access to file.php can simply change (10) to 11 12 13 14 15 16 ...100 and can view all transactions on the website.
If you would like to prevent this from happening you need to go ../ezgen_data/lister.php
Open lister.php and navigate to the function GET_PENDING_ORDER and inside this function you will notice a "$data=fetch-all-query(...)"
Replace that chunk of code with the above. Now users can only see orders where their userid = the userid assigned to them at registration.
Code: Select all
$data=$db->fetch_all_array(' SELECT * FROM '.$db->pre.$this->pg_pre.'pending_orders AS po LEFT OUTER JOIN '.$db->pre.$this->pg_pre.'orderlines AS ol ON po.orderid = ol.ol_orderid LEFT JOIN '.$db->pre.$this->g_datapre.'data AS dt ON ol.ol_pid = dt.pid WHERE po.orderid='.intval($id).' AND po.userid ='.$this->user->mGetUserID($db).' ORDER BY ol.id ASC' );
Im currently looking to see if there is another section for "confirmed orders" where you would have to do the same thing again.