Passing variables html forms in PHP securely

Question

I have a form that is populated by data from a MySQL database. To make an update/edit to the form I would like to use the primary key of that record. How can I pass the primary key to the page securely once the page is submitted. I do not want to use $_GET as any user can change this on the URL and embedding the primary key in a hidden form field can also be sabotaged and is visible in the html source. The action is being done on the same page(see code block below). The processing is being done on the same page so I am not sure whether sessions will work.

//Load the data from the database
  if(isset($_GET['menu_id'])){
       $menu_id = (int)$_GET['menu_id'];
       $menu = new Menu();
       $menu_item = $menu->get_menu_items_by_id($menu_id);
  }
  else{
       //The user has possibly edited the URL
       $message = "Please select an option to edit";
       redirect_to($PHP_SELF . '?message=' . $message);
  }
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>">

<div>
<label>Name</label>
<input type="text" name="name" value="<?php echo $menu_item->name ?>">
</div>


<div>
<label>Title</label>
<input type="text" name="title" value="<?php echo $menu_item->title ?>">
</div>


<div>
<label>Is default page</label>
<input type="radio" name="is_default_page" value="1" 
    <?php 
        if($menu_item->is_default_page == 1) 
            {
            echo "checked"; 
            }?>
     >Yes
<input type ="radio" name="is_default_page" value="0" 
        <?php 
        if($menu_item->is_default_page == 0) 
            {
            echo "checked"; 
            }?>

     >No    
</div>

<div>
<label>Page name</label>
<input type="text" name="page" value="<?php echo $menu_item->page ?>" />
</div>

<div>
<label>Menu type</label>
<select name="menu_type">
    <?php
    //Display the options of the menu types available
    $menu_type_array = $menu->get_menu_types();
    draw_select($menu_type_array, 'name', 'id', $menu->menu_type_id);
    ?>
</select>
</div>

<div>
    <label>Page type i.e what is the page used for</label>
    <select name="page_type">
        <?php
        $page = new Page();
        $page_type_array  = $page->get_page_types();
        draw_select($page_type_array, 'name', 'id', $menu->page_type_id)
        ?>
    </select>
</div>

<div>
    <label>Position</label>
    <select name="position">
        <?php
        //Count the number of menus in the database

        $number_of_menu_items = $menu->count_menu_items() + 1;
        for($i=1; $i<=$number_of_menu_items; $i++){
            echo "<option value=\"{$i}\"";
            if($i==$menu->position){
                echo "selected = \"selected\"";
            }
            echo ">";
            echo "{$i}";
            echo "</option>";
        }

        ?>
    </select>
</div>

<div>
    <input type="submit" value="Add Menu" name="edit_menu" />
</div>


<form>

Answer 1

What is the concern here? Yes, a user can change the id of the record being edited, so the entered data will be saved to another record.

...

So what? It's not any different from the user going to the page of that other record and editing it there directly. You still have access controls in place that check if the user is allowed to edit the record to begin with, right? You also have data validation in place that validates that the submitted data is valid for the specific record, right?

Then there's no real concern here. If the user is able to edit a particular record, he's able to do so one way or another. Simply putting the id in the URL is perfectly sufficient.

Answer 2

If a use can easyly change your $_GET or $_POST datas, it is not a security issue. In fact, you can put it on your $_GET url if it is only a display request (and, of course, in that case, your php code has to ensure that it can be displayed by the user), and on your $_POST datas if you want to modify the datas stored in your data base.

It is the purpose of get and post request, do not try to invent something with an other tool. It will be a mess to keep it working in the future.