more secure way of deleting db record than url variable?
Posted on 2011-03-25
I have a page that lets admins delete users. The way I've got it configured right now, the userid is passed in the url, where an if statement deletes the user record if it's present. But, it occurred to me that doing that is not very secure. If anyone ever wanted to, they could easily delete all the user records by just visiting that URL with a userid attached.
Is there a better way to manage that? I'm already using the cflogin framework (which should prevent any non-logged in user from hitting the delete url), and I suppose I could check for a certain user role in the delete code so I make sure the person doing the deleting is authorzied.