A user can submit his data, after login. There is two tables in mysql: items, categories. Categories has a field: user_id, but in item table, there isn’t, every item should belongs to a category.
When a user submitting a category, its fine, i get the user id from session, and inserting it.
When he submits an item, i set the category_id for it.
The problem is, the user can simply rewrite the category_id (javascript, on the frontend, click on a category : set the category_id), and submit the item into a category which is not related to him.
Two solutions what i’m thinking (but i haven’t made like this):
When the user inserts an item, i check the category relation, and if it’s not the user’s one, its exit.
Add the user_id field into the items table too (not looking as a good option).
What is the good way or what’s the proper/common solution in this case?
If you already have the user_id in the categories table, and you’re certain that each item has a category, then this is unnecessary duplication, as you suspect.
That’s the way to do it – when you read the category id before inserting an item, make sure that category belongs to the user. Simple. I would probably just
show_404(), but it’s up to you if you want to show a meaningful error message.