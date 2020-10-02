Hi,

I’m using Ajax and PHP for a CRUD application. I show records I get from database in a html table, each record has a unique ID and I pass it to the html table storing it in the ID field then I can pass the value with Ajax and execute all the CRUD operations. The problem is that anybody using the browser developer tools could change the ID value in the html and then delete other users records for example.

What is the best approach to prevent this happening? So far I’ve put some more controls in the SQL query setting a where clause with the record ID and the user ID which is stored into a SESSION in this way the user can only delete his own records only. Do you think I could also store both the plain record ID and an encrypted record ID (maybe as value in html) and the see if they match during server side validation? Any other approach or ideas? Many thanks for your support as always.