I am trying to make an attendance system where I mark the employee's attendance the link is clicked by me. So whenever the employee presses the button, I get an email with their info with a decline and accept URLs. The URLs I'm trying to pass on will have variable data in it, something like:
http://website.com/page.php?id=123&username=abc
and then use $_GET['id], $_GET['username']. But the problem that I see with it is that a user could just pass on their information to do the process that I want to do here if they know the URL and their ID.
Is there a more secure and better way to do this?
My opinion is
if that link is clicked by user , you dont need that param . Store that in session instead and check with that !
Or for admin , there is no a problem with that param .You just need to check current user session have admin role or if not just show permission error