0

This is probably a silly question but I just don't know the right sollution. I am selecting items from my database in a loop. These items are displayed on my website as submit form. In the forms I have hidden input fields that contain the ID of a specific item. The only problem is that anyone can change this idea in the developer tools/inspector. What is a more reliable way to do this?

What I eventually want to do is storing this value in my database.

So I have this query:

$insert_query = mysqli_query($con," INSERT INTO `building` SET `player_id` = '".$_SESSION['user']['id']."', `building_id` = '".$_POST['building_id']."' ");

And using this hidden input field:

<input type="hidden" value="<?php echo $row['building_id']; ?>" name="building_id">

How can I approach this safely without the user being able to change the id?

Bart. K
  • 63
  • 8
  • This discussion might be of use to you: http://stackoverflow.com/questions/7559409/how-to-disable-browser-developer-tools – Namkce Jun 16 '16 at 21:07
  • Instead of passing Id in the hidden field create slug and query from the slug which is more secure than that. – sudar Jun 16 '16 at 21:08
  • Nope, that's just about disabling the console. – Bart. K Jun 16 '16 at 21:09
  • No you cannot disable the browser console but there is one option for disable the right click but dont do that. **function f{ if(event.button==2) { alert(status); return false; }}** – sudar Jun 16 '16 at 21:13
  • note, your code is insecure. – Ryan Jun 16 '16 at 21:13

3 Answers3

0

To display the id's in source code is not the problem.

But you must post validate in every case that the values sent by the form are valid and that no id's are manipulated.

Which means that you have to validate if a player is allowed to send a special id.

Monarchis
  • 101
  • 6
0

I think you are in danger of

  • SQL injection (you can find a lot of topic to sensitize and secure your self of it)
  • Make sure to query the database first for ids you going to insert. (in your case make 2 query to insure the ids were sent is exist in the database)
Abdelrahman M. Allam
  • 892
  • 10
  • 16
0

Solution 1:

Add a secondary hidden field with a hash generated from that ID by your own algorithm. When you receive the from data, check if the received ID and hash code match.

Solution 2:

In the server side code check if the user has permission for accessing to received ID. This may done by a cookie or session check. If the user has permission, don't worry about the ID and no need to double check if ID in previous page and target page are the same! A webpage just helps the user to act easily and you may let user act in hard way using pure codes!

Ali Sheikhpour
  • 10,475
  • 5
  • 41
  • 82