i’m developing a php web application.
i’m bit curious about how people store object’s primary key value in the web form when they retrieve the object so that they can update the relevant record by refering the same record using the retrieved key?
for eg. i retrieve a employee record of pk_id=10. when user do changes for the object we need to update the object of pk_id 10. so i need to store the pk_id in the form.
i thought of storing the value in a hidden input field. will this be a problem.
how to professional people does this?
rgds
Rifky
There are two ways – the ones identified by @marvin (i.e. client side), and within the session.
If you use client side identification, please be very, very careful. In your example, it would be trivially easy for someone to set their salary to a million dollars if they knew their primary key. @Thomas Hudspith-Tatham says this is unlikely – I disagree, especially with a public facing website. In the early days of the interwebs, there were several cases of ecommerce stores having to honour orders for high-end products at $0.01, because the application used client-side mechanisms for transferring data between pages.
Incidentally, when modifying data, it’s good form to use POST, rather than GET – so a hidden field is stylistically better than a URL parameter.
Using sessions is a bit of a pain – you have to worry about load balancing and cookies expiring, but it’s far harder for an attacker to change data you don’t want them to change.