Laravel validate passed data and prevent user changes

171
August 05, 2018, at 1:20 PM

I asked this question before and didn't get accurate answer, as I know its impossible to prevent users from changing value using inspect element, but if I used form with {{ csrf_field() }} the user still can inspect element and change the value of id as example. and well, to validate data as some said, these data will be pass to the controller and there will validate it, but this is will be ok if the controller received id=2 instead of 1, so user can change the id from inspect element, do you have any solution for this?

example (I'm using ajax to pass data to controller)

 <form role="form" name="form_address" id="form_address" action="" method="POST"  enctype="multipart/form-data" autocomplete="off">
   {{ csrf_field() }}
  @foreach($stores as $store)
   <input class="field" id="id" hidden="" value="{{$store->store_id}}">
    <input class="field" id="price" value="{{$store->store_price}}">
      @endforeach
  </form>
   <button id="save_data" ><span class="BigButton_text">Save</span>  
Answer 1

I see you are using Laravel.

As a user said, you should do the validation on the backend.

First, for security, don't show increments let IDs for users (that will make it prone to guessing - a user changing the store ID to try to edit another record, for example)

On the backend there are several ways to do this validation.

You can add a Policy, or it could be as simple as:

  1. Getting the logged in user ID, like this:

    $user_id = Auth::user()->id;
    
  2. making sure the user owns the store (get the store he sent the request, and check if the user id is the same?) Depends on your architecture.

Answer 2

If the user changes the store id via the inspect element, you can apply something like the following in the controller or middleware:

if (! in_array($request->store_id, Auth::user()->stores->pluck('id')->toArray()) {
    abort('403');
}

Much better than this is to get acquainted with the Authorization service provided by Laravel.

https://laravel.com/docs/5.6/authorization

I will suggest for you to write a few Gates and put them to action. That's what I did when I was in the same position as you are now.

By doing that, quickly you'll realize how feasible it is to guard your applicaion from data tampering via the inspect element.

Rent Charter Buses Company
READ ALSO
Populate json response from a mysql query to a html list in another file

Populate json response from a mysql query to a html list in another file

Hi I am trying to populate data that I got from a MySQL dbI got all results of a query in a json like this:

201
word press admin end Broken links not going to solve

word press admin end Broken links not going to solve

I have installed Broken Links Checker plugin, it's showing 638 links broken Into frontend, the links are working fine after click on showing links into the broken listsSame its working fine into the admin end just showing the lists of the broken links The problem...

175
Adding multiple image urls to JSON object

Adding multiple image urls to JSON object

What i am trying to do is make my JSON object the same as an already developed one, these are the displays:

157
PHP: list() giving unused local variable error in PhpStorm

PHP: list() giving unused local variable error in PhpStorm

I am using the answer found at https://stackoverflowcom/a/25749660 in order to sort the $_SERVER['HTTP_ACCEPT_LANGUAGE'] array by the most preferred language

229