Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial


Kevin Korte
Kevin Korte
28,148 Points

Storing stripe ids in html. Is it safe?

Been looking for an answer and I'm not sure yet. My question is, is it safe to store things like card ids in the html. Let me explain.

And application I'm playing with, there is a section where a user on their account settings page add, and remove cards from their account, while also making a different card the primary card. It all works.

Except for I'm not storing any of their card info on my servers. I rely on making API calls to stripe to fetch the data (I am storing their stripe customer id in my database though). So when a user takes an action with a card, the button submits a form element with a single hidden field, the card id, something that looks like this => card_163to8ECdSEsYuLSHQ5FjhtR

And then in my controller, I get that value, and carry on my way. It works fine.

But can someone use that card id to do something malicious. Should i refactor and store card ids in my database and instead reference the unique table id of the card id in the html instead?

You can definitely safely use/display the ids returned by Stripe's API. You will want to be careful anytime passing user input to the API.