Is it a good idea/good practice to use a PHP session variable to protect against users editing hidden/input field values? For instance, lets say I have the following fields:
<input type="hidden" object_id="1" />
<input type="text" object_id="2" />
etc...
I need to have the object_id
on the front end so I can tell which database entries need to be manipulated when the user submits (providing they are authorized to act on the data). The $_SESSION
variable would look something like [obj_id = 1, obj_id = 2]
. Part of the authorization process makes sure that all of the entries the user is trying to act upon are present in the session. If there is some discrepancy (e.g. an element with object_id="3"
) the user is not authorized.
Are there solutions that are more widely accepted or does something similar to this usually suffice?