This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.
Please use forum.silverstripe.org for any new questions
(announcement).
The forum archive will stick around, but will be read only.
You can also use our Slack channel
or StackOverflow to ask for help.
Check out our community overview for more options to contribute.
Hi,
A member has bookings. Each member can update their own booking. So I am passing the ID like this:
members/update/editbooking/1300
And to load their details, filter on ID and logged in memberID (without this, any member could view any booking).
My question is this the best way to do this? Should I generate a random identifier string to pass into the URL instead so I don't expose ID's?
Thanks
As the ID is only ever exposed to the logged in user, who can only view his own bookings (a user can have multiple bookings?) the security risk isn't that big - but why not use something the member knows anyway, like an ordernumber, that is supposed to be unique as well?
Thanks for that. Will use a generated order number string to pass.
