I’m making a little web application using PHP and JavaScript and I’ve come to a point where I’m not sure how to ‘hide’ the user’s ID. Let me illustrate…
I have a page which uses a lot of JavaScript (it’s based around the Google Maps API). When the user has done all their stuff, I make a single JavaScript object containing all the stuff I want to write to the database (locations from the map essentially). So I want to pass this object to another script using AJAX, which is of course very trivial using JQuery (which I am).
Herein lies the problem, along with the JavaScript object I’m going to need to pass the User’s ID so the script it passes to knows which user to associate the values in the object with. I feel that if I pass it with JavaScript then somebody could easily come along start passing a false User ID and adding lots of stuff to the db that associates itself with a different user.
I could pass the User ID with PHP but then how do I give the JavaScript object to PHP?
Can anybody offer any advice on how I can pass the map data with JavaScript but somehow not expose the User ID detail?
This is a security risk: anybody could try to edit the user id and overwrite the data from other users.
You should consider using sessions, which will let you identify the user on the server: when the server gets a request, you know who it is coming from and can act accordindly.