Posted by Harris Kosmidhs on 06/14/70 12:01

Though I program in php for some years, I started thinking a lot about
the security in my php scripts.

When I add/insert/delete to a form I usually have a hidden input box
with the (auto-increment id) of the record I want to update. So when I
UPDATE I put where id=intval($id).
This is quite a security risk but these forms are administration forms,
assuming that the administrator won't edit hidden values and mess with
it's data.

But what happens if this is a public form? How can you avoid having the
id in a hidden (and easily changed) form field? What techniques do
exist? I have some in mind as a workaround (like puting id in $_SESSION)
but I would like to hear other opinions.

Thanks

[Back to original message]