Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
hari krishnan
Courses Plus Student 33 PointsHow to update user's data?
For instance, Think about one of my client selling different products in my website (amazon.com), He/She needs to update the prize of one of her product, how do I do??? If I provided her Unique_Id of that product with hidden field, he/she can inspect and change that Id to some random number, that might match with other product which might not belongs to her. Experts tips please
2 Answers
Steven Parker
229,644 PointsGenerally users would not be allowed direct access to the entire database.
As you point out, the risk of an entry error causing a change to the wrong item is too high. You would provide a program that would implement some form of user or role-based security to limit which items the user has access to. It would typically display just the items and fields the user can change on a form, or allow them to look them up using user-friendly terms like product name, and not show internal values like ID's at all.
hari krishnan
Courses Plus Student 33 PointsFirst of all, I appreciate your response. Your heading stood as universal truth, Lets say Steven Parker is one of my client who sells "3 different types of robots "in my website and I'm providing a permission to Steven to modified or change his products alone by setting Unique_id of Steven's 3 types of robots to Unique_Id=SP-encrypt1 (1st type of robot) Unique_Id=SP-encrypt2(2st type of robot) Unique_Id=SP-encrypt3 (3st type of robot) here SP represents Steven Parker, and I'm providing unique_Id along with product's name and detail. Now ,Steven wants to change price of his 1st type of robot, he inspect and change the unique_Id of his first_product to second product's unique_id and clicked save, certainly second products price will be changed instead of first one. How to overcome this pitfall
Steven Parker
229,644 PointsSee the comment I added to my answer.
Steven Parker
229,644 PointsSteven Parker
229,644 PointsI'll restate my first suggestion to fit your scenario better: When the user logs in, I would show a form that had columns for product name, detail, and price. The price would be shown in an input box the user can change. The unique_id would not be shown to the user, it would be a hidden field of the form. The user can adjust the prices as he likes and then press a "submit" button on the form. The data would then be sent back to the server and the updates would be made.
Since the user never sees anything but his own products, and also never has the opportunity to change the unique_id, there is no risk of altering the price of the wrong item.
hari krishnan
Courses Plus Student 33 Pointshari krishnan
Courses Plus Student 33 PointsHi Steven Parker, I'm strongly disagree with your opinion "never has the opportunity to change the unique_id". hidden fields are always editable with inspect element and hidden value can easy change when submitting a form .
Steven Parker
229,644 PointsSteven Parker
229,644 PointsYes, of course, but I thought you were just asking about how to protect against accidental error. What you are talking about now would only be a result of deliberate tampering.
And to prevent that, the server-side code would ignore any product ID's that did not belong to the logged-in user before performing the database update. For the exact reason you mention, server-side validation should always be performed on form data.
hari krishnan
Courses Plus Student 33 Pointshari krishnan
Courses Plus Student 33 PointsExactly, Thank you Steven Parker