Radoo Radoo - 9 months ago 55
PHP Question

How to safely delete a list entity using CodeIgniter

I'm building a todo list in CodeIgniter.

I get all the lists created by the current logged in user this way.

$current_user = $this->session->userdata('email');
$this->db->where($st, NULL, FALSE);
$q = $this->db->get();

foreach ($q->result() as $key => $row) {
echo "<li>" . $row->listTitle;

Below I have this delete button:

<a class="delete_button" onclick="return confirm('Delete list?');" href="<?php echo site_url('lists/list_delete');?>" ><i class="icon-cancel"></i></a>

My question is, how to allow the user to delete only the lists created by him if I add
id="<? $row->id;?>
, I can inspect the code in browser and change the id to another value and delete a list from someone else.

What is the best method to secure that?

Answer Source

You can't stop users from manipulating client-side forms. You need to do the verification on the server-side. For example, in your Lists controller.

First, let's add the ID of the list to the URL, so the link would be:

<a class="delete_button" onclick="return confirm('Delete list?');" href="<?php echo site_url("lists/list_delete/{$row->id}");?>" ><i class="icon-cancel"></i></a>  

In the controller:

class Lists extends CI_Controller {

    public function list_delete($list_id) {
        // 1. Check if the list found by $list_id belongs to the logged-in user
        // 2. If it is, delete the list
        // 3. If it's not, throw an exception, or redirect back with an error