Hello, I have a web system, but it is super flawed ... I store ID's in hidden input, however, it is visible if you inspect element ..
If I change the schedule_id to 1, it will update registry 1 instead of 26.
Would it be best to store this ID in a session (PHP) and then retrieve it during the process lifecycle? Or is there any other way?
I do not know if the question is duplicated. I tried to be as clear as possible. Thank you in advance for being able to help me.
I believe the most practical and least costly way would be to create a single key column in your database table, varchar itself, to store a second identifier. This second identifier must be random and one-way, that is, without conversion.
There are several ways to create a hash, for example:
//random_bytes dará uma sequência de bytes
//bin2hex converte para ASCII
//sha1 criptografa
$uniq = sha1(bin2hex(random_bytes(32)));
stores this value along with the rest of the other data.
Also validate the need to have the "schedule_id" and "patient_id" in the form. If the bank is well structured and related, you can update the data using only a single identifier.
In the end, your input will look like this:
<input type="hidden" name="token" value="a72e2e0d24022f7c8e34532208ee0b119cb77850">
In this way you decrease and very much the probability of someone hitting the next value.