How to protect yourself from spoofing a post request?
Good afternoon.
A simple example: there are comments under the post, each user can delete only his comments. Deletion happens is an ajax request to the action controller, the request contains the ID of the comment and other data. How can you protect yourself from spoofing id of the comment in the query ?
Thanks in advance.
6 answers
All data coming from client should be validated on the server. This includes as validation data itself and check user rights for operations with these data.
on the server side check that the comment belongs to the user that sent the request.
To check the server, transmit the user ID and the ID of the comment if they are connected to the database, then delete, otherwise error.
Why?! Just check out right delete the current user (server session) of the review with the given ID .
In the end, the best solution is not to peredavat no overhead in the clear, and hashed them.
The user ID is already in the Yii::$app->getUser()->getId();
Pass in the id of the comment and get the comment, putting the sample id of the user or, drag the comment from the database and compare the field responsible for the user id of the comment id of the current user. If different - throw new ForbiddenHttpException();
Find more questions by tags AJAXPHPYii
You can also just verbage suppose to change ID and user ID of the comment, and then deleted that comment because in fact the steam ID and the author ID of the comment to be correct. - Palma_Schamberger commented on June 14th 19 at 18:30