in the mages table, you should have a column that relates the image to the user using the users ID
so theres the imageID primary key column and the imageUserID column.
in the recordset that returns the image, add another where clause to compare the imageUserID column to the UserID session that gets set. this way, it doesn't matter if they change the Image id in the URL variable, it wont return anything unless the image belongs to them.