protecting urls from manipulation.

I have written a online billing system;

it handles my clients, inventory, invoices, discounts, payments, etc…

the index page shows all invoices for the client or admin when clicked it will produce the invoice again for reprinting.

the url string I am using to accomplish this is:

where “XXX” is the invoice number.

I wish to PROTECT the script from users altering the URL to produce an invoice which is not theirs.


  • Invoice number 3 is created for User 1.
  • User 1 logs into the billing script and prints invoice #3 by clicking the URL:
  • User 1 is an asshole and wants to see what other invoices are there and changed the “3” on the URL string to “1”.
  • User 1 now sees invoice #1.

I have tossed around the idea of referral code protection (easy to break tho…) and session protection (creating an array of ‘printable’ invoices in the session?).

Any other idea’s or solutions I should use or maybe I’m not thinking of?

I presume your invoices are linked to the users who can rightfully view them by some sort of link, or association (in the database)? You could just check which user is logged in against the called upon invoice’s user association, and if they don’t match, display an error message (possibly with a notification that this possible attempt at hacking is reported to the administrators of the website).

Sponsor our Newsletter | Privacy Policy | Terms of Service