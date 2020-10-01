Hi,
I’m using Ajax and PHP for a CRUD application. I show records I get from database in a html table, each record has a unique ID and I pass it to the html table storing it in the ID field then I can pass the value with Ajax and execute all the CRUD operations. The problem is that anybody using the browser developer tools could change the ID value in the html and then delete other users records for example.
What is the best approach to prevent this happening? So far I’ve put some more controls in the SQL query setting a where clause with the record ID and the user ID which is stored into a SESSION in this way the user can only delete his own records only. Do you think I could also store both the plain record ID and an encrypted record ID (maybe as value in html) and the see if they match during server side validation? Any other approach or ideas? Many thanks for your support as always.
First, make users log in to your app. Then implement some kind of role-based access system, specifying permissions for who may do what.
As you are seeing, more or less anything client-side can be spoofed, so the access checks need to happen on your server.
Hi yes there is a login in place as well.
I need to have all the users able to delete records but only their own.
Then check that this is the case before performing the delete.
Presumably you use a cookie or JWT to track the user’s logged in status - you can just query that before deleting anything.
I personally check the backend to see if they are logged into or not with their credentials. (That is 99.9 percent of time handled by the backend application) If they match then onward the script goes otherwize it’s back to the home page the script goes.
Hi Yes this is what I do but if they are logged and change the id using developer tools they can delete other users records