Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Ruby

Kevin Korte
Kevin Korte
28,109 Points

Storing stripe ids in html. Is it safe?

Been looking for an answer and I'm not sure yet. My question is, is it safe to store things like card ids in the html. Let me explain.

And application I'm playing with, there is a section where a user on their account settings page add, and remove cards from their account, while also making a different card the primary card. It all works.

Except for I'm not storing any of their card info on my servers. I rely on making API calls to stripe to fetch the data (I am storing their stripe customer id in my database though). So when a user takes an action with a card, the button submits a form element with a single hidden field, the card id, something that looks like this => card_163to8ECdSEsYuLSHQ5FjhtR

And then in my controller, I get that value, and carry on my way. It works fine.

But can someone use that card id to do something malicious. Should i refactor and store card ids in my database and instead reference the unique table id of the card id in the html instead?

You can definitely safely use/display the ids returned by Stripe's API. You will want to be careful anytime passing user input to the API.