Guys,
I am wondering what is the right way of doing this.
I have an admin panel, and a page to edit the user profile of others and update them.
Currently the url is in the form
http://localhost/crm/public/admin/editstaff/3
Where 3 is the userid.
Obviously while updating, User_id will be the only thing that will remain constant as admin can change any other data. and I also need the user_id to check if the email is unique and ignore just for the current user_id existence.
I am POSTing user_id as a hidden field. I am sure this is subject to sql injection, or can crash the app or cause data issues if the user mess with the hidden field.
What is the right way of doing this?
Note: I am not trying to edit my user page. I am the Admin, and I am trying to edit other's profile.
P.S : Struggling to find a field to compare and verify I am updating the right user.
Passing data like that should work, and if updating using eloquent proper bindings are taken care of, thus no sql injection.
Quote from docs:
The Laravel query builder uses PDO parameter binding to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.
https://laravel.com/docs/5.8/queries
NEVER send password in a query string. I.e., always use POST for updating sensitive data.
@JLRDW - How do I know which user I am going to update? because all fields are changing on update, and user_id can be changed by editing the inputs ( hidden field or post url)
How to compare or make sure I am updating the correct user?
The user id should remain the same, only other fields edited, like address, phone, etc.
How about using Laravel's Route/Model Binding? (see docs on the subject here).
That way when you hit the update method on the associated controller the user_id in the URL will assure that the User model with an id of 3 is updated.
So (explicit route):
RouteServiceProvider
public function boot()
{
parent::boot();
Route::model('user', App\User::class);
}
Then in your routes file, something like:
Route::post('admin/editstaff/{user}', 'StaffController@update');
Warning about hidden fields The end-user controls everything on the client-side. So hidden fields can be tampered with and potentially cause issues with ACLs or other items, if there are no server-side checks in place. That being said, it wouldn't be too hard for an end-user to change the URI either by changing the final 3 to a 4 or something like that. ID obfuscation is one way of being more security conscience about such things. I guess my point is that you want to limit the opportunities for malicious end-users to manipulate and send back bad data to your server. But, assume they will, and be sure to handle all possible situations in your server-side code.
Please or to participate in this conversation.