I don't know if it is a good practice to put values from database in html id attribute

Question

I am at my first php project and I'm learning a lot.

In my project, i used to put in html id attribute values from my database, to make my work easier. For example:

<a id="nameOfMyTable_ID"> some link... </a>
<a id="idOfRow_idOfForeignKey_idOfCurrentUser"> .... </a>

It's that ok, or i'm doing it wrong ?.... I don't know for sure if that is a good practice. It's there any chance for vulnerability ?

I'm sorry, the qustion may sound stupid for some of you, but I really don't know if i'm doing wright.

Answer 1

I was going to put it as a comment but got a bit big:

The chances at vulnerabilities will depend on how you process those values before/after presenting them to the user (and I'm sure that you are applying fixes for them):

• As Michael said in a comment, there's a possibility for XSS if you don't sanitize the values before you write them on your HTML;
• Also, take into account that these IDs are in the client's side, you will need to sanitize them properly before using them in the database to avoid possible SQL injection;
• Finally, even if you sanitize them and they are correct, you'll need to double check that the values are valid and compatible. For example, imagine your ID being idOfRow_idOfForeignKey_idOfCurrentUser with a value of 1_23_45, but I change it somehow to 1_34_78. What would happen then? Is the code ready for that or will I be updating somebody else's record?

I don't know if the way IDs are displayed on the post can be considered as a good practice, personally I wouldn't do it that way, and even if I did, I'd follow some rules:

• Never trust user input. And what better way to explain it than with humor: http://xkcd.com/327/... Sanitize all input, use parameterized queries.
• Never trust your own input. Even if you think you are the source, the values that you are reading from the database may have been provided by a user through a web form. Sanitize all output.
• Verify that the data provided is valid. Even if you sanitize the data, it comes from an "unknown" user, they may have changed the IDs manually. E.g.: double check that the user ID that is performing the operation has permissions to do so.
• Put the values in the right place. Why put the current user ID in the tag ID? It should be somewhere else: a session variable, or if you want to have it available on the client side, a hidden input/variable; and for the other IDs, they probably should go in the href or in a data- attribute.
• Provide the least possible information to the user. Users do not need to know your IDs, they don't need to know data tables/column names... A "good person" will not need them, a "bad person" may use them against you.

I tried to focus on the ones that would apply to the example in the question (although they'd apply to any project), and probably missing something.

Answer 2

Since you are passing the user's id into the id attribute of an <a> tage, I'll assume you are trying to link to a page that needs the user's id. In this case, you would instead want to pass the user's id as a GET parameter in the link.

Replace

<a id="idOfRow_idOfForeignKey_idOfCurrentUser">...</a>

With

<a href="myOtherPage.php?id=<?=$userID?>"> .... </a>

Note: I changed your variable from $idOfRow_idOfForeignKey_idOfCurrentUser to $userID to make it a little cleaner, but the idea is to simply pass the User's id to the next page using the href attribute