I have many lists e.g. a todo list, a shopping list etc. on my web page. I am using AJAX to add or delete the items. For example, for a todo list my HTML is like:
<tr id="todo_userttypea_23"> <td>name</td><td>Delete</td></tr>
Note if the users press delete then I am deleting that row.
I get the id of the row and then break it to find which operation to perform and which id to delete.
But the I have found that if I use firebug then I can change the id dynamically to any number and I have found that it is possible to delete any id, even if does not belong to that user, by editing the HTML.
What should I do to prevent this?
The main principle is “never trust incoming data“. Any data you get sent from outside can be manipulated – Parameters, Headers, Referers, everything. A good and safe system does not trust any of these.
If you have multiple users working on the same data base, you will probably need to implement an authorization system that defines clearly who is allowed to do what to which record.
That is usually done using a session-based login system of some sort, based on one of the scripting languages like PHP, Ruby, ASP or Perl. There are pre-built solutions available.