I have an admin page that lists a bunch of records and each record has a checkbox next to it to set it to an "active" status. Each checkbox has a value on it that is tied to the ID of the record in the database. If somebody used FireBug they could easily change the checkbox's value to a different number thus effecting the wrong record in the database.
I'm not extremely worried about this happening because its just an admin page that will just have one user and I'm sure he doesn't know anything about FireBug.. but was just curious incase I run into this problem in the future on a more public-facing page.
Here's the code I currently have just so you can get an idea of what I'm doing.
The HTML + PHP..
<input type="checkbox" class="active" name="active<?php echo $id; ?>" id="active<?php echo $id; ?>" <?php if ($active == 1): ?>checked="checked"<?php endif; ?> value="<?php echo $id; ?>">
jQuery ajax..
$("input.active").click(function() {
var loader = $(this).prev().prev();
$(loader).css("visibility","visible");
// store the values from the form checkbox box, then send via ajax below
var check_active = $(this).is(':checked') ? 1 : 0;
var check_id = $(this).attr('value');
console.log(check_active);
console.log(check_id);
$.ajax({
type: "POST",
url: "active.php",
data: {id: check_id, active: check_active},
success: function(){
$(loader).css("visibility","hidden");
}
});
return true;
});
Here is active.php..
<?php
include("dbinfo.php");
mysql_connect($server,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$active = mysql_real_escape_string($_POST['active']);
$id = mysql_real_escape_string($_POST['id']);
$addEntry = "UPDATE entries SET active = '$active' WHERE id = '$id'";
mysql_query($addEntry) or die(mysql_error());
mysql_close();
?>
