I was wondering about the best way to setup to following.

I have a dynamic form that can potentially get very long once a user has finished adding their data. What I was hoping to setup is a background process that saves the data they have to the database.

What I had setup was a settimer function that would check if a question is in a saved state and if not add it to a list of questions to save. Then it would trigger an ajax call which uses php to post to my database. The first time this happens the ajax will return the id of the submission so the form knows where to post these to.

The second time the set timer function is run it passes this id.

My biggest problem is I don't want the user to know table ids. I was just thinking someone can mess with the javascript and submit their results to other ids pretty easily.

I was just wondering if there is a better way to achieve this? Or even some examples?

Thanks

Generally speaking, you should probably keep the ID on the server-side in a $_SESSION variable and never let it get anywhere near the client. Alternatively, the form might contain sufficiently identifiable information to be able to determine the relevant record on the basis of some UNIQUE index.

However, if you prefer, you could also add some cryptographic authentication to prove that the ID has not been altered by the user. For example, in addition to the ID itself, return to the client a secure hash of the ID concatenated with some secret; when the client posts back to your server both the ID and that hash, you can compare against a recalculated version of the hash to check that only someone who knew the secret (i.e. you) could have provided the client with that ID.

In order to defeat more sophisticated attacks, you might want to add some salt:

$salt = some_random_string();
$hash = md5( md5($secret) . md5($id) . md5($salt) )

Then send to the client the hash, the ID and the salt; all three of which it will return to you for validation.