1
Good morning, I have a web system, but it is super flawed... I store ID’s in Hidden input, however, it is visible if inspect element..
if I change the id_schedule to 1, it will update record 1 instead of 26..
would be the best way to store that ID in a Session (PHP) and then retrieve it during the process lifecycle? Or is there any other way?
I don’t know if the question is duplicated. I tried to be as clear as possible. I appreciate anyone who can help me.
2
I believe that the most practical and least costly way would be for you to create a single key column in your database table, even varchar, to store a second identifier. This second identifier must be random and one-way, i.e., without conversion.
There are several ways to create a "hash", for example:
//random_bytes dará uma sequência de bytes
//bin2hex converte para ASCII
//sha1 criptografa
$uniq = sha1(bin2hex(random_bytes(32)));
stores this value along with the rest of the other data.
Also validate the need to have the "id_scheduling" and "id_patient" in the form. If the database is well structured and related, you can update the data using only a single identifier.
In the end, your input will look like this:
<input type="hidden" name="token" value="a72e2e0d24022f7c8e34532208ee0b119cb77850">
That way you decrease and greatly the probability of someone hitting the next value.
Browser other questions tagged php session
You are not signed in. Login or sign up in order to post.
SESSION is one of the possible ways, as well as Localstorage or COOKIES, but I wouldn’t say the best because it depends on the stored content, since the ID is something of great importance, could encrypt and save encrypted, but is better than the Hidden input
– Wees Smith
I see no problem that the id is hidden and can be easily modified, the user who changes the value from 26 to 1 is not allowed to modify the 1, return an error from the server, if allowed let do the operation normally. Actually it’s not so unusual, the stackoverflow itself leaves a code (I imagine it’s something similar to id or itself) in the url
– Costamilam
If you put an encrypted id on the schedule, someone will hardly be able to guess the right id. For example:
id_paciente: ushu23hdy4323232id_usuario: kjashah8732.uji– Andrei Coelho
In my view, this is the best way (encrypt) as session ids can also be recovered and modified. In addition, using session for storing lots of data is not the best option because each open session generates a serialized value. To generate this value, you have a cost and to convert it, you have another cost. Imagine this for many data and many users...
– Andrei Coelho
Ever heard of UUID? I recommend reading https://medium.com/trainingcenter/o-que%C3%A9-uuid-porque-us%C3%A1-lo-ad7a66644a2b
– Marcos Xavier