I have a form that I upload to a database what contains ids that can’t be edited, but if I put them in a hidden input they can be if someone uses inspect element im trying to prevent this from happening. I tried using a url query to avoid the hidden input but doing this the query returns null. is there maybe a way to dynamically set a max and min value to the ids to stop them been edited or am I going about this wrong all together?
Most likely.
Whatever you render and send from client side, is exposed. No matter if its hidden from visibility or not.
You need to setup access control on server action to filter out any bad actors.
For eg: If someone is editing their own profile, based on security restrict id, you can identify which user’s data needs to be updated. You don’t even have to send that ID on client side, nor send it back via form.
In case someone is editing, say a product, from a list of products, and they try to mess with the data by changing hidden ID field, its your responsibility on SA to first check whether or not logged in user has rights to that particular product id.
Eg: I can see product 1,2,4,5. If I am editing product 2, and change the hidden ID field to 5, its my fault… as user that product 5 has wrong data.
But, if I change hidden ID field to 7, SA should return 403 (forbidden) and not run the update query at all.
Using hidden fields is not wrong at all. Its your server side that needs to be robust to filter out unauthorized attempts.
Thanks for the info that makes a lot of sense.