Home/ Questions/Q 965383
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T01:59:19+00:00

I just had this thought, I don’t know if I am slow though. Usually,

  • 0

I just had this thought, I don’t know if I am slow though.

Usually, I store the id of the item I am editing in a hidden field. Then in backend (I am using PHP/Zend Framework btw), I get it to determine which item gets edited. But then I thought, in something more secure, eg. edit profile, the user can somehow edit a hidden field right? Then he can edit someone else’s profile. I know for edit profile, I can get the id form the session variable, but what if i got something that requires me to store the id somewhere?

I got ACL (Zend_Acl) I do this. Basically grab the id from the request params

$id = $req->getParam('id');

then check if the logged in user is allowed to edit the item. But the thing is I wonder if the url is something like /users/edit/1 where 1 is the id. But somehow, the hidden field is changed to 2, what will the request param be?

How would you deal with this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You must store some kind of id at the client-otherwise how would you know which item to edit?
    This does not free you from the mandatory check on the server that the current user has privileges to edit/see the edited item.
    Other then that, why would you care how he got to edit the item (whether by lawful use of the web tool, or by editing the hidden/whatever field).

    • 0