-1

Is it a good practice to store primary key values in form elements for storing data after form submission?

For example if I have a select tag inside my form like this:

<select name="city">
  <option value="3">Kolkata</option>
  <option value="7">Bangalore</option>
  <option value="1">Delhi</option>
  <option value="4">Mumbai</option>
</select>

In my City table they are stored like this:

Id  Name
--  ----
1   Delhi
3   Kolkata
4   Mumbai
7   Bangalore

After form submission, extraction of values is pretty simple and we directly get the foreign key value without looking up the City table.

However, I feel that this could be a major problem since one can easily manipulate the values through developer tools.

If not this approach, what is the general and widely accepted norm?

EDIT

Since this question has been suggested as a duplicate of this, I've added my reason against it:

This question deals with the aspect of general practice followed by developers unlike the other with deals with security concerns if a particular practice is followed.

Community
  • 1
  • 1
Nikunj Madhogaria
  • 2,139
  • 2
  • 23
  • 40
  • 1
    This is the most widely accepted practice I've ever seen, and although it does let a user see what IDs you have assigned to the elements in your `select`, I fail to see how that could ever present a security concern. – Tab Alleman Sep 03 '15 at 18:14
  • what if I manipulated the `value` attribute and then submitted the form? – Nikunj Madhogaria Sep 03 '15 at 18:15
  • Then you submit the form with a different value. How could that be a security risk? And, more's the point, how could that be a risk that would not also exist if you did not use PK's for form values? – Tab Alleman Sep 03 '15 at 18:18
  • If a PK doesn't exist (say, 10), then inserting as a FK won't make sense (rather it would throw an error). I was thinking of looking up the table for the corresponding city value before storing the submitted values as an alternative. (PS: I'm new to web development) – Nikunj Madhogaria Sep 03 '15 at 18:22
  • 1
    Yes, it could throw an error, but that's not what I would call a "security concern". Anyway, as Brett includes in his answer, the ID submitted needs to be validated in the server side code when the form is submitted. This is true whether you use PK's for values or not. – Tab Alleman Sep 03 '15 at 18:29
  • Quite right. I get it now. – Nikunj Madhogaria Sep 03 '15 at 18:31
  • Yet another downvote without any reason! ;) – Nikunj Madhogaria Sep 03 '15 at 18:57

1 Answers1

1

This is a perfectly valid option, is frequently used, and is very likely the most widely-accepted solution.

However, as with all data passed from a non-trusted computer (the web browser) to your server, you will want to ensure that the data is validated before acting on it or saving it to the database. You are correct in stating that it is possible for someone to change the value of the select to an invalid Id (e.g. 10). If an invalid Id is received, an error message should be displayed.

Brett Wolfington
  • 6,587
  • 4
  • 32
  • 51