How can i prevent a user with a login "a" to acess another information in database with login "b", just with changing the URL variable?
example:
www.example.com/eee-directory/entity/entidade.asp?id=4 and I manually change to this address to www.example.com/eee-directory/entity/entidade.asp?id=5

Thanks

Edited by - carlosleal on 16 Sep 2004 12:30:51

It is not a good idea to post passwords or logins with an QueryString. You should use request.form and POST instead.

Hi,

I'm using request.form and POST method, nobody can see the username and the password. The problem is if my login suceed i go to the page www.example.com/eee-directory/entity/entidade.asp?id=4, the id 4 is the login to the entity 4 and all the data that appears is for this entity, but if in the address bar change to 5, i will see the data of other entity.
Understand my problem? Probably the best thing to do is encrypt the variables, do you know how to do it?

Thanks

I understand your problem. But why do you let the entidade.asp?id=4 visible in your webbrowser.

You can also build in an extra option. Something like:

IF MM_USERNAME = "username" and Request.QueryString = "4" then response.end else [other code]