Is It Safe To Put An Id (will Insert In Db) Into A Hidden Input?
Solution 1:
If you give it to the client, then the user can change it.
If you can't avoid giving it to the client then, when the form is submitted, you need to check if the user is authenticated (i.e. that you know who there are, e.g. because they have entered a password) and authorized (i.e. that they are allowed to do whatever the request is asking for).
How you determine authorization depends entirely on your business rules (which you haven't explained to us). These may be something like:
IF the id belongs to an entry created by the user
ORIF the user is an admin
This would, obviously, require that you keep a record of which users created which entries or which users was admins.
There is a security issue here because users may simply change the ID of the hidden input which will allow them to insert all sorts of non sense.
The only sort of nonsense I can imagine that could cause is liking a post multiple times, or liking posts that the user cannot see. This just comes back to authorization. Reject the request if it is a duplicate or if the user isn't allowed to see the post they are trying to vote on.
Solution 2:
Displaying the ID value in the html is fine, assuming you have good authentication and validation on the server side.
For instance, I assume your code is to update a post on a blog or something similar? Do users have to be logged in when updating? Do you check that the current logged in user has permission to update that particular post (IE by either setting that the usergroup the user is in has permission to edit posts or edit all posts, or that the author of the post is the logged in user).
You could save the record ID in a session to hide it from the user, but hackers could still attempt session hijacks.
Its all about your backend security.
Post a Comment for "Is It Safe To Put An Id (will Insert In Db) Into A Hidden Input?"