Reputation: 7935
A better way to pass IDs
I have a problem - or a concern - about my app. Experience taught me, that leaving ANY possible way to mainpulate my code is very, very bad. So now, I have a form which adds user's opinion. It has
- a text field
textarea - a user_id field
input type="hidden" - a game_id field
input type="hidden"
Now what I am afraid of, is that user might want to look at the code and find those fields. Many browsers allow to manipulate HTML (we can change classes, etc from Chrome). So changing value="1" to value="2" won't be a problem to them.
My question is - what are the best practics in Symfony2 to avoid such problems and risks?
Upvotes: 0
Views: 48
Answers (1)
Reputation: 712
Instead of getting the user and game id from your form you could just grab them in your controller, which is handling the post anyways and process both values right there.
$user = $this->get('security.context')->getToken()->getUser();
$userId = $user->getId();
$gameId = $user->getGame()->getId();
Is a possible way of getting the current needed values (depending on where your game id comes from of course)
Edit:
If the user is associated with more than one game you could hand over the gameId like you did inititally and cast it via dependecy injection directly to a game class:
public function exampleAction(Game $gameId) {
$user = $this->get('security.context')->getToken()->getUser();
if($user->getGames()->contains($gameId) {
return true;
}
}
Upvotes: 1
Related Questions
- Symfony 5: Get id user
- request with multiple id Symfony2 Doctrine
- How to impersonate user by id instead of username in symfony?
- Symfony 4 : Controller requires that you provide a value for the "$id" argument
- Symfony- passing an array of ids
- Access Item By Id in Symfony?
- Symfony 3 - best practice for looking up ID
- How to - Symfony 2 Perform CRUD without passing ID to url
- Symfony How Get ID Inside of Controller
- How to pull information based on an ID?