Home/ Questions/Q 9120369
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T05:36:45+00:00

In the web application, of course in many case we will support CRUD(Create, Retriever,

  • 0

In the web application, of course in many case we will support CRUD(Create, Retriever, Update, Delete)

Basic programmer will do something like bellow(without Verification ) :

delete?room_id=12
update?room_id=13

The displayed room_id is only for room that belong to the user/client.
first Authentication is only using user and password. well that’s a standard.

But i believe we should not trust the user. The bad user may guess the room_id that’s not belong him. like delete?room_id=199

I ask my programmer friend, and they even never think about this issue.

So to prevent that, i have a basic solution that to always pass the user_id for any related object. such querying before any action is the room_id belong to the user.
If this the only solution, so i must to modify all of the query i already write.

The question is, is there any good or better solution for this basic problem ?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your approach is a good one. And it really doesn’t surprise me that your programmer friends haven’t thought about it; unfortunately security seems to be the last thing on most programmers minds.

    In a good system, you will perform an authorization check on nearly every action performed to see if this particular user is authorized to perform that action. Its generally good practice to build this check in throughout your app, even for things that you don’t normally care if they are authorized for or not: someday you might be.

    In your scenario, that action might be to retrieve the room, update the room or even delete the room.

    To help things along I have a few recommendations:

    1. Make the room_id non guessable if possible. The easy way, presuming you are already using an int as your primary key, is to encrypt / decrypt it when passing between the client browser and your application.

    2. Make sure that on the browser side you aren’t passing in the users id but rather pulling that from session or through some other mechanism. The point is you don’t want to trust the user to pass the id to you.

    3. Any action that is not a GET, use an HTTP POST to perform. In other words you shouldn’t be putting the ids in the query string at all but rather as post data.

    • 0