Update DB w/ PHP Methodology

Question

I'm trying to write an app that basically is a frontend for editing database records. I have heard that a way to ensure the right row in the DB is being updated is to include a hidden form field on the update form with the row unique ID in it, and use this to add a conditional to the backend update statement.

However, this seems insecure. Anybody could edit the HTML on the page pre-submit and change the record being updated, no? What is the proper way to pass the unique ID of the row the user is editing along with their edits? I would imagine this may be done with cookies/session tracking, but couldn't this be edited client side prior to submitting as well?

Thanks!

Answer 1

If a client is allowed to modify the record in question anyway, it doesn't matter whether he does so by modifying the id in a hidden field or by going to the correct page and submitting the form from there.

When any client submits any form, the server needs to a) make sure the client has the right to modify the record he attempts to modify and b) validate that the submitted data is allowable for the record. Then all your business rules are being protected and taken care of, whether the user uses the proper forms or not.

You can also save a hash of all hidden fields in the session server-side and check that on submission to catch hidden field-manipulation attempts, if that's still in your interest.

Answer 2

You may create a field with default value TIMESTAMP.

Also you may pass this data from one page to another using php sessions

More details here

Hope this helps.. :)

Answer 3

When you load the form page, store the id in the session however you want to. When they submit, on the post page, grab the id from the session.

The insecure part is, how are you letting people decide which id they want to edit? Where is the input for that?