Alternatives to passing data by hidden fields

0

I'm creating a system, where I always need the id of my object in the DB, and most of the system sends this id of the VIEW pro controller using the fields hidden with a POST.

If speaking of security is the best way to do this?

I find it rather unsafe to use this method. Can anyone help me?

    
asked by anonymous 14.05.2015 / 18:14

2 answers

1

It will only be insecure if your system has security holes, otherwise the user will not be able to do anything with an ID. But if you use some ssl certificate for example, you can create a cookie or even a session to register the ID at the time you access the view. It will not mask 100%, but it will not be edited.

    
14.05.2015 / 18:36
0

I think the best alternative is to use the framework's own feature, for this id you want to spend.

parameters by URL and findOrFail

Controller:

public function anyEdit($id)
{
    $usuario = Usuario::findOrFail($id);

   return View::make('...', ['usuario' => $usuario]);
}

View:

{{ Form::model($usuario); }}

In the case of the Controller sampled, the findOrFail method ensures that the user must exist in the database at the time of editing it.

By passing in the input hidden, you run the risk of someone editing the data (with the developer tool for example) and causing problems for your programming.

In the case of findOrFail taking id by url usuario/edit/1 , if it places a non existent id, Laravel will return an exception.

In the case of Form::model() , we pass the user, to be able to automatically select the fields with the desired value.

Input Hidden Security

You can apply extra security when inputting data.

Let's say you want to validate that field of input hidden and ensure that the ID exists in the database. You can use exists validation for this:

$rules = [
     'hidden_id' => 'required|exists:tabela,id_dessa_tabela'
];

Validator::make(Input::all(), $rules);

Level Control

And in a third case let's imagine that you have the Produto model. And you have two types of users on the system (administrator and common).

The common can not edit the field usuario_id of Produto ; The administrator can.

You can use the reguard method to protect model data. And unguard to undo protection.

You can do something like this:

class BaseController extends Controller

{
   public function __construct()
   {
      if (Auth::user()->nivel !== 'administrador') {
         Produto::reguard();
      } 
   }
}
    
01.08.2015 / 20:10