Prevent change input values

Question

I have a system to upload and change profile picture, also have a link that restores to the default photo, I see that changing the values of ID from the console browser (inspect element in chrome) I can make the image that I will upload assigned to another user which is very bad, like I can avoid this?

index.php

<form name="form" method="post" action="dashboard_reset_image.php">
 <input type="hidden" name="id" value="'.$id.'">
 <input type="submit" class="btn btn-danger btn-img-user" value="Reset"/>
</form>

dashboard_reset_image.php

 $ID = $_POST['id'];
 $db = DB::getInstance(); 
 $fields=array('img'=>'no-image.jpg');
 $db->update('profile',$ID,$fields);
 Redirect::to("index.php?id=$ID");

What makes this last code is to update the "img" column in the "profile" table putting a default image (not erase the images of the server and save them as reference).

As I keep changing the ID from the HTML generated insecurity?

Answer 1

Change

 $fields=array('img'=>'no-image.jpg');

to

 $fields=array('img'=>$ID.'.jpg');

To prevent the image update use the id in the filename.

To prevent someone from changing the id in the browser you will need to use session storage to save the id on the server, then test to ensure the data submitted has the same id.

Something like this will save the posted id:

session_start();
if (!isset($_SESSION['id']) && isset($_POST['id'])) {
    $_SESSION['id'] = $_POST['id'];
}

Populate the id in the HTML like so:

<input type="hidden" name="id" value="<?= $_SESSION['id'] ?>">

When you receive the data from the client, to test that the id is the same, you would use:

if (isset($_SESSION['id'],$_POST['id'])) {
    if ($_SESSION['id'] !== $_POST['id']) {
        die('Ids do not match');
    } else {
        echo 'Update the image here';
    }
}