Simplest as possible. If you haven’t id in $_GET parameters, it is currently logged in user. He can edit his own page. If id is supplied, you can check if it is the same as one of currently logged in user and still allow him to edit his own page, otherwise only he will have only read access (if you designed your application like that). Every time when user visits e.g. www.example.com/user/edit, he will get his edit page. Or if he visits www.example.com/user/edit/5 (5 is his id) and you allow him to edit his page. If he visits www.example.com/user/edit/6 (it is not his id), you can redirect him to www.example.com/user/edit (his own page, solution which I recommend), or totally deny access to that page.