How to protect yourself from spoofing a post request?

Good afternoon.

A simple example: there are comments under the post, each user can delete only his comments. Deletion happens is an ajax request to the action controller, the request contains the ID of the comment and other data. How can you protect yourself from spoofing id of the comment in the query ?

Thanks in advance.
June 14th 19 at 18:21
6 answers
June 14th 19 at 18:23
All data coming from client should be validated on the server. This includes as validation data itself and check user rights for operations with these data.
June 14th 19 at 18:25
on the server side check that the comment belongs to the user that sent the request.
June 14th 19 at 18:27
To check the server, transmit the user ID and the ID of the comment if they are connected to the database, then delete, otherwise error.
You can read more?

You can also just verbage suppose to change ID and user ID of the comment, and then deleted that comment because in fact the steam ID and the author ID of the comment to be correct. - Palma_Schamberger commented on June 14th 19 at 18:30
why do you explicitly pass the user ID? The person below wrote about the session for example. Do not have to pass the user ID in the AJAX request to run the trace. - alden73 commented on June 14th 19 at 18:33
and you can link where you can read about it? something googled, but not found( probably to the best of my still poor skills Google programmers ' questions)) - Palma_Schamberger commented on June 14th 19 at 18:36
June 14th 19 at 18:29
Why?! Just check out right delete the current user (server session) of the review with the given ID .
June 14th 19 at 18:31
In the end, the best solution is not to peredavat no overhead in the clear, and hashed them.
June 14th 19 at 18:33
The user ID is already in the Yii::$app->getUser()->getId();
Pass in the id of the comment and get the comment, putting the sample id of the user or, drag the comment from the database and compare the field responsible for the user id of the comment id of the current user. If different - throw new ForbiddenHttpException();

Find more questions by tags AJAXPHPYii