Codeigniter restrict to insert into other user's data

Question

A user can submit his data, after login. There is two tables in mysql: items, categories. Categories has a field: user_id, but in item table, there isn't, every item should belongs to a category.

When a user submitting a category, its fine, i get the user id from session, and inserting it. When he submits an item, i set the category_id for it.

The problem is, the user can simply rewrite the category_id (javascript, on the frontend, click on a category : set the category_id), and submit the item into a category which is not related to him.

Two solutions what i'm thinking (but i haven't made like this):

When the user inserts an item, i check the category relation, and if it's not the user's one, its exit.

Add the user_id field into the items table too (not looking as a good option).

What is the good way or what's the proper/common solution in this case?

Answer 1

Why not create a user_id column in category table. When user tries to submit entry check the user_id, if it is not that user redirect him wherever you want

Answer 2

Add the user_id field into the items table too

If you already have the user_id in the categories table, and you're certain that each item has a category, then this is unnecessary duplication, as you suspect.

Check the category relation, and if it's not the user's one, its exit.

That's the way to do it - when you read the category id before inserting an item, make sure that category belongs to the user. Simple. I would probably just show_404(), but it's up to you if you want to show a meaningful error message.