So I have build a PM System that seems to work, but I need an outside opinion if how I am displaying the User’s Private Message is secure enough. (Since this module is like 2,000+ lines of code, I can’t just post everything here.)
When a User in in his/her Inbox and clicks on a Message entry, it sends the User to my “view_pm.php” script and a URL like this would be created…
http://local.debbie/account/view_pm.php?msgview=incoming&msg=2
In order to view the PM, the User has to be logged in, and my Message query looks like this…
$q2 = "SELECT member_id_to, m_to.username AS username_to, m_to.photo_name AS photo_to,
member_id_from, m_fr.username AS username_from, m_fr.photo_name AS photo_from,
subject, body, sent_on, read_on
FROM private_message AS pm
INNER JOIN pm_recipient AS r
ON pm.id=r.message_id
INNER JOIN member AS m_to
ON m_to.id=r.member_id_to
INNER JOIN member AS m_fr
ON m_fr.id=pm.member_id_from
WHERE r.member_id_to=?
AND pm.id=?";
Notice that in the last two lines I am checking that the request is for a… 1.) Valid PM, and is from a 2.) Valid Member
I get the “MemberID” from the User’s Session.
What worries me is if just passing “&msg=2” in the Query String is enough??
It shouldn’t matter, since I am pairing that up with the “Member ID”, but I just wanted another opinion.
BTW, I have tested my code and it appears to be working fine.
Thoughts?
Thanks,
Debbie