I asked an unanswered question the other day. It made me think that perhaps I am asking the wrong question, so I’ll try a different tack.
What is the standard practice in Yii to protect from users manipulating data that they shouldn’t. E.G. If there is a page where members can edit their profile, then the view for accomplishing this needs to know on post back which data to edit, and also it needs to know not to allow that post back to edit another persons profile.
I can think of several solutions to this problem.
Always check that the authenticated user is the owner of the table row that that is being manipulated.
Encrypt any primary keys that are needed for the update, so that they can’t be edited.
Update everything using table joins to the user table so that primary keys do not need to round trip to the user.
Which of these is considered best practice. Is there something else I am missing?
Thanks for any help