2

I was wondering are there ways in laravel to not display id to source with developer tools inspection I have this form

{!! Form::model($data, ['route' => ['data.edit',$data->id], 'method' => 'get']) !!}
      {{ Form::submit('Edit', array('class' => 'btn btn-info')) }}
{!! Form::close() !!}

With inspection user can see all forms like this ids and change one element id to another and on click he will edit the changed one? Are there any work around?

I would just check if that data entry belongs to the user in controller so at least user would not be able to delete or change entries that do not belong to him, but that is not the solution I want.

zerociudo
  • 357
  • 8
  • 25

1 Answers1

5

Not if you set the id in the html. You could use session to store data, but you should always validate access on update. You should never trust the client.

Not having guessable id is also a reason to use uuid instead of auto increment for id, but even if you use uuid you need to check access on the server for all requests no matter if they are to get data or to update data

rypskar
  • 2,012
  • 13
  • 13
  • can you write more about: how to use uuid in multi users system? – Adam Kozlowski Mar 23 '18 at 11:50
  • You can have a look at https://stackoverflow.com/questions/5159413/uuid-versus-auto-increment-number-for-primary-key and https://www.clever-cloud.com/blog/engineering/2015/05/20/why-auto-increment-is-a-terrible-idea/ How to use them depends on which database you are and if you are able to change your database at this stage. In laravel you set in your migrations that the id column is uuid, you have to set public $incrementing = false; on your models and you can use Uuid::uuid4(); to create id before inserting into the database – rypskar Mar 23 '18 at 12:02