How to protect customer information

EzGenerator V4 forum

Return to “Ezgenerator v4 Customer Forum”

[You can only see part of this thread as you are not logged in to the forums]
hottopik
Wed Jan 01, 2020 2:28 am

x

How to protect customer information

If you guys remember, I posted something a while back that detailed the fact users can view customer information by simply manipulating the url parameters.

For instance .. mywebsite.com/file.php?action=pending&do=details&orderid=10

Anyone with permission to centraladmin.php profile or access to file.php can simply change (10) to 11 12 13 14 15 16 ...100 and can view all transactions on the website.

If you would like to prevent this from happening you need to go ../ezgen_data/lister.php

Open lister.php and navigate to the function GET_PENDING_ORDER and inside this function you will notice a "$data=fetch-all-query(...)"

Code: Select all

$data=$db->fetch_all_array('
SELECT *
FROM '.$db->pre.$this->pg_pre.'pending_orders AS po
LEFT OUTER JOIN '.$db->pre.$this->pg_pre.'orderlines AS ol ON po.orderid = ol.ol_orderid
LEFT JOIN '.$db->pre.$this->g_datapre.'data AS dt ON ol.ol_pid = dt.pid
WHERE po.orderid='.intval($id).'
AND po.userid ='.$this->user->mGetUserID($db).'
ORDER BY ol.id ASC' ); 
Replace that chunk of code with the above. Now users can only see orders where their userid = the userid assigned to them at registration.

You're welcome.

Im currently looking to see if there is another section for "confirmed orders" where you would have to do the same thing again.

Return to “Ezgenerator v4 Customer Forum”