Is it correct to store a record to use during the process lifecycle in a session variable?

1

Hello, I have a web system, but it is super flawed ... I store ID's in hidden input, however, it is visible if you inspect element ..

If I change the schedule_id to 1, it will update registry 1 instead of 26.

Would it be best to store this ID in a session (PHP) and then retrieve it during the process lifecycle? Or is there any other way?

I do not know if the question is duplicated. I tried to be as clear as possible. Thank you in advance for being able to help me.

    
asked by anonymous 29.07.2018 / 11:19

1 answer

2

I believe the most practical and least costly way would be to create a single key column in your database table, varchar itself, to store a second identifier. This second identifier must be random and one-way, that is, without conversion.

There are several ways to create a hash, for example:

//random_bytes dará uma sequência de bytes
//bin2hex converte para ASCII
//sha1 criptografa
$uniq = sha1(bin2hex(random_bytes(32)));

stores this value along with the rest of the other data.

Also validate the need to have the "schedule_id" and "patient_id" in the form. If the bank is well structured and related, you can update the data using only a single identifier.

In the end, your input will look like this:

<input type="hidden" name="token" value="a72e2e0d24022f7c8e34532208ee0b119cb77850">

In this way you decrease and very much the probability of someone hitting the next value.

    
02.08.2018 / 19:32