I have written a online billing system;
it handles my clients, inventory, invoices, discounts, payments, etc…
the index page shows all invoices for the client or admin when clicked it will produce the invoice again for reprinting.
the url string I am using to accomplish this is:
print_invoice.php?invoiceid=XXX
where “XXX” is the invoice number.
I wish to PROTECT the script from users altering the URL to produce an invoice which is not theirs.
EG:
- Invoice number 3 is created for User 1.
- User 1 logs into the billing script and prints invoice #3 by clicking the URL:
print_invoice.php?invoiceid=3 - User 1 is an asshole and wants to see what other invoices are there and changed the “3” on the URL string to “1”.
- User 1 now sees invoice #1.
I have tossed around the idea of referral code protection (easy to break tho…) and session protection (creating an array of ‘printable’ invoices in the session?).
Any other idea’s or solutions I should use or maybe I’m not thinking of?