0
I’m creating a system, where I always need my object id in the BD, and in most of the system I send this id from the VIEW pro controller using the Hidden fields with a POST.
Speaking of security, what’s the best way to do that?
I find it a little unsafe to use this method. Can anyone help me?
1
It will only be insecure if your system has security holes, otherwise the user will not be able to do anything with an ID. But if you are using a ssl certificate, for example, you can create a cookie or even a Session to register the ID at the time you access the view. Does not mask 100%, but prevents editing.
I’m treating any attempt to change the controller, but I thought there was a more recommended method for this.
This is not such a big problem, as the ID is usually made up of numbers, it is easy to deal with malicious code. As I mentioned, the safe cookie might be a good one for you, because it can’t be edited. But if it’s of paramount importance that the user doesn’t even view the id, tell me that I have an alternative.
What do you think of Sessions? It would be the same cookie security?
You can use Séssions without problems, actually it will be even better. I remembered that Session cannot be viewed by the user as it is stored on the server and not in the browser. Each Session generates an id that is stored in the browser, but its content is only on the server.
Sorry for another layman question, is this case of Sesssions being stored content only on the server, a functionality of the Server? or are characteristic of itself?
Characteristic of herself.
0
I believe that the best alternative is to use the framework’s own resource for this id that you want to spend.
Controller:
public function anyEdit($id)
{
$usuario = Usuario::findOrFail($id);
return View::make('...', ['usuario' => $usuario]);
}
View:
{{ Form::model($usuario); }}
In the case of the exemplified Controller, the method findOrFail ensures that the user must exist in the bank at the time of editing it.
Passing the Hidden input, you run the risk of someone editing the data (with the developer tool for example) and causing problems for your programming.
In the case of findOrFail catching the id by the url usuario/edit/1, if it puts a non-existent id, the Laravel will return an exception.
In the case of Form::model(), we pass the user, to be able to automatically fill the fields with the desired value.
You can apply extra security when passing data through the Hidden input.
Suppose you want to validate that field of input hidden and ensure that the ID exists in the database. You can use validation exists for that reason:
$rules = [
'hidden_id' => 'required|exists:tabela,id_dessa_tabela'
];
Validator::make(Input::all(), $rules);
And in a third case let’s imagine that you have the model Produto. And you have two types of user in the system (administrator and common).
The common cannot edit the field usuario_id of Produto; The administrator may.
You can use the method reguard to protect model data. And unguard to undo the protection.
You can do something like this:
class BaseController extends Controller
{
public function __construct()
{
if (Auth::user()->nivel !== 'administrador') {
Produto::reguard();
}
}
}
I have to improve, but I do it later. My brother-in-law’s keyboard is different than I’m used to using :)
Browser other questions tagged laravel laravel-4
You are not signed in. Login or sign up in order to post.
In the Laravel documentation you can explain about Session http://laravel.com/docs/5.0/session
– FernandoLopes