Hi, I am creating a website which has user accounts. For each user account, the user can do stuff like update their personal details, write a blog etc. When the user wants to edit a blog, i have the following form (this is a simplied version).
<form action="goToThisPage.php" method="get">
<input type="hidden" name="blogID" value="4" />
<input type="text" name="blogTitle" value="" />
<textarea name="blogContent"></textarea>
<input type="submit" name="submit" value="Update Blog" />
</form>
Now the blogID as you can see is 4 for this user, so when they update the record, it'll update the blog table with ID 4. Now using firebug or other spoofing techniques, the user could change this ID to something like 8, and update record 8, which could be someone else's entry.
How do i prevent this? I've thought of two methods so far, wondering what you think is the best idea (or suggest another).
- Encode the ID with a random string, then decode the string once submitted, retrieving the correct ID.
- Leaave it as the numeric number and then check to make sure once updated, its their record by a database query.
I obviously want to limit the database queries, and by encoding the ID i believe is the better option. What do you guys think?
Thanks in advance