I am setting up a PHP website for customers that allows them to view information about their account. The site is secure and users must log-on to view their details. Certain pages are restricted based on a user's type. Many of the details contained within this site are financially sensitive therefore security is paramount. I currently have a script that dynamically generates a table, listing all the customers associated with a particular company. The customer name is a hyperlink, that when clicked, opens a new page displaying extended details about the chosen customer. As it stands I am sending the customer ID and portfolio No via the URL and retrieving it using $_GET therefore the details are in plain site for all to see.
My problem is once logged in a user could potentially manually change the customer ID in the URL and view anyone's details. I am going to implement a database check but I would also prefer to POST the chosen customer's details, therefore eliminating the risk of manual tampering. Is this possible to do? Are you able to force a POST when a user selects a given link? I am using PHP5 with a MSSQL database. Any assistance would be most appreciated.