Reputation: 377
Laravel do not display id on form action to source
I was wondering are there ways in laravel to not display id to source with developer tools inspection I have this form
{!! Form::model($data, ['route' => ['data.edit',$data->id], 'method' => 'get']) !!}
{{ Form::submit('Edit', array('class' => 'btn btn-info')) }}
{!! Form::close() !!}
With inspection user can see all forms like this ids and change one element id to another and on click he will edit the changed one? Are there any work around?
I would just check if that data entry belongs to the user in controller so at least user would not be able to delete or change entries that do not belong to him, but that is not the solution I want.
Upvotes: 2
Views: 198
Answers (1)
Reputation: 2092
Not if you set the id in the html. You could use session to store data, but you should always validate access on update. You should never trust the client.
Not having guessable id is also a reason to use uuid instead of auto increment for id, but even if you use uuid you need to check access on the server for all requests no matter if they are to get data or to update data
Upvotes: 5
Related Questions
- Why don't show specific id in action
- How to pass id to Form Request in Laravel
- How to take the id from the form in laravel
- how can pass variable id to form action in laravel?
- Laravel, get id on request from input blade
- Laravel show id
- How to pass an ID to the Controller without using hidden form field?
- Access ID in Form Request when using resource route with Laravel
- get id from url and passing into form in laravel 5
- How to pass id to controller in laravel 5.2