How to protect yourself from spoofing a post request?

Question

How to protect yourself from spoofing a post request?

Good afternoon.

A simple example: there are comments under the post, each user can delete only his comments. Deletion happens is an ajax request to the action controller, the request contains the ID of the comment and other data. How can you protect yourself from spoofing id of the comment in the query ?

Thanks in advance.

Palma_Schamberger asked June 14th 19 at 18:21

Related questions

More answers about "How to protect yourself from spoofing a post request?"

6 answers

Kenyatta answered on · Answer 1 · 2019-06-14T18:23:09.860Z

All data coming from client should be validated on the server. This includes as validation data itself and check user rights for operations with these data.

Violet_Wiso answered on · Answer 2 · 2019-06-14T18:25:09.860Z

on the server side check that the comment belongs to the user that sent the request.

alden73 answered on · Answer 3 · 2019-06-14T18:27:09.860Z

alden73 answered on June 14th 19 at 18:27

To check the server, transmit the user ID and the ID of the comment if they are connected to the database, then delete, otherwise error.

You can read more?

You can also just verbage suppose to change ID and user ID of the comment, and then deleted that comment because in fact the steam ID and the author ID of the comment to be correct. - Palma_Schamberger commented on June 14th 19 at 18:30

why do you explicitly pass the user ID? The person below wrote about the session for example. Do not have to pass the user ID in the AJAX request to run the trace. - alden73 commented on June 14th 19 at 18:33

and you can link where you can read about it? something googled, but not found( probably to the best of my still poor skills Google programmers ' questions)) - Palma_Schamberger commented on June 14th 19 at 18:36

Kyleigh_Hills answered on · Answer 4 · 2019-06-14T18:29:09.860Z

Why?! Just check out right delete the current user (server session) of the review with the given ID .

Palma_Schamberger answered on · Answer 5 · 2019-06-14T18:31:09.860Z

In the end, the best solution is not to peredavat no overhead in the clear, and hashed them.

Jack answered on · Answer 6 · 2019-06-14T18:33:09.860Z

The user ID is already in the Yii::$app->getUser()->getId();
Pass in the id of the comment and get the comment, putting the sample id of the user or, drag the comment from the database and compare the field responsible for the user id of the comment id of the current user. If different - throw new ForbiddenHttpException();