Hello!

Suppose there is a page on which a list of users is displayed, and in front of each user there is a button “add as friend” or “block”. It is logical to track for which user the button was pressed, it can be placed together with an input field of the hidden type with a value equal to the user id in the database.

<form method="post"> <input name="user_id" type="hidden" value="22"> <input name="add_friend" type="submit" value="Добавить в друзья"> </form>

Actually the following question torments me in this type of implementation: in the debugger you can see all the hidden fields and their values ​​and nothing prevents the user from inserting the hidden-input value in not 22, say, 100, and thus the server will actually get the value user_id = 100 rather than 22, opposite which the button was pressed. It turns out that the user can thus add to the friends of someone who did not even send him a request.

It is clear that there should be checks on whether the request was really sent, etc. but is it still possible to somehow avoid or prevent the substitution of values ​​in the hidden field, or is there a better solution for implementing such a mechanism?

Thank you in advance for your response!

  • 2
    You can not trust any data that came from the client. In any case, you should do all (final) checks on the server. - Igor

1 answer 1

Hidden fields in html are not intended to store protected data. Their main purpose is to send additional attributes when the form is sent, followed by checking on the server so that they do not interfere with the user when filling out the form.

Thus, one cannot rely on data security under any circumstances, if this data is stored on the client.

In your case, in any case, it is necessary to check on the server that the user being added as a friend has previously sent a request.

  • It turns out the best option, just check the incoming data on the server? - krown_loki
  • @krown_loki on the server should certainly be carried out all the necessary checks, but for the convenience of the user also implement additional checks on the client. - Sergey Shitikov
  • Thank you very much! - krown_loki