I'm printing an ID from the database in the order to create a SQL statement INNER JOIN with that ID. So, the problem is that the "user" can change it from the debugging tool and easy "crack" the site.
Check it out:
<select name="brand">
<?php
# Print brands names
for ($i=0; $i < count($brandsql); $i++) {
print '<option value="' . $brandsql[$i]['brand_id'] . '">' . $brandsql[$i]['brand_name'] . '</option>';
}
?>
</select>
So... My question is: Is there a way to do this without print the ID to the HTML? Note that I'm getting the ID value with JavaScript:
$('#brand').change(function(e){
$.getJSON("q.php", {type: 1, brand: this.value})
.done(function(e){
// I print the results to the user.
});
});
Exist better way to do this?