Here's the summary of my code:
My website basically just loops the content of all the rows of a certain table; however, at times, I'll need to obtain an individual ID from a certain row. The hidden input works but I know that it will be a big burden on security. After I get the ID from the hidden input, I need to insert it into another table. Hackers can simply change the value of the hidden input and hack into the system. I can't find a way to validate that on the server side. Encryption may help but I think hackers can always find a way to decrypt it. Does anyone have an idea on how to make this more secure?
UPDATE:
I'm sorry for being a bit vague with what my website does. Basically, it's just a like and dislike system similar to that of Facebook. My table has a structure of: id, user_that_liked_id, post_id. When a user likes a post, the ID of the post is then inserted into post_id, and the ID of the user that liked the post is inserted into user_that_liked_id. There is a security issue here because users may simply change the ID of the hidden input which will allow them to insert all sorts of non sense. Please refer to the code below.
HTML (Summary):
<div class="thumbsup mini_thumbs" name="mini_thumbs">
<input type="hidden" value="<?php echo $row->id; ?>" id="post_id"/>
<input class="up" name="thumbsup_vote" type="submit" value="1" title="Vote up" onclick = "liked(this)" />
<input class="down" name="thumbsup_vote" type="submit" value="0" title="Vote down" onclick = "disliked(this)" />
</div>
JavaScript/jQuery (Summary)
function liked(e) {
var post_id = $(e).siblings("#post_id").val();
alert(post_id);
}
If you give it to the client, then the user can change it.
If you can't avoid giving it to the client then, when the form is submitted, you need to check if the user is authenticated (i.e. that you know who there are, e.g. because they have entered a password) and authorized (i.e. that they are allowed to do whatever the request is asking for).
How you determine authorization depends entirely on your business rules (which you haven't explained to us). These may be something like:
IF the id belongs to an entry created by the user
OR IF the user is an admin
This would, obviously, require that you keep a record of which users created which entries or which users was admins.
There is a security issue here because users may simply change the ID of the hidden input which will allow them to insert all sorts of non sense.
The only sort of nonsense I can imagine that could cause is liking a post multiple times, or liking posts that the user cannot see. This just comes back to authorization. Reject the request if it is a duplicate or if the user isn't allowed to see the post they are trying to vote on.
Displaying the ID value in the html is fine, assuming you have good authentication and validation on the server side.
For instance, I assume your code is to update a post on a blog or something similar? Do users have to be logged in when updating? Do you check that the current logged in user has permission to update that particular post (IE by either setting that the usergroup the user is in has permission to edit posts or edit all posts, or that the author of the post is the logged in user).
You could save the record ID in a session to hide it from the user, but hackers could still attempt session hijacks.
Its all about your backend security.
