I know there are already tons of PHP forums available, but this is just a proof of concept for myself I suppose. So the problem I have is when a user goes to post a reply to a thread, I have an invisible input which post the thread ID to the page I have which enters the reply into the database. The actually problem being that the POST field can be easily manipulated allowing the user to change what thread he/she were actually replying to. Now, with that being said. I could check right before the data is going to be entered if the user has permission to post/read/view that thread or category.
There has to be a better way to do this. How can I retain the thread ID that they're replying too?
Always validate ANY sort of input. vB passes the thread number via GET data, it is still safe because you validate it. Validation would consist of you checking in the database if that user (who should also be authenticated) is indeed the owner of the post.
The rule of thumb is that if it is data from the client side, assume its hostile.
I suppose the first question that springs to mind is why would anybody want to alter the POST ID of the thread they're replying to?
Of course, if they wanted to post a nonsensical response in a random thread, they'd navigate to that thread and post. So as long as you're checking if they have permission to post in that thread, and the thread is valid, where does the problem arise? And what does the so-called master hacker achieve?
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.