I am creating news feed in my website. I want to capture likes and comments on a particular post. My basic implementation is, I provide post id as an ID to 'like' button which will call a method to add an entry in post_like mapping table.
But the method/webservice and the ID of post will be visible to end user in source code. which may lead phishing attack etc. How can I secure such data so that user can not access any other post.
If you want to avoid link forgery to control access to other posts you need some type of hash, not an ID, some solutions could be:
use the same trick calling cards and other serialized cards do, the card number is the concatenation of an id with a fixed amount of digits and a random generated password which also has a fixed amount of digits.
If your IDs aren't guessable (i.e., if they are randomly assigned from a large enough number space that only a tiny fraction of that number space be valid IDs at any given time) you should be fine. Sequential IDs can of course easily be guessed simply by observing one.
Using random (i.e. 'Version 4') UUIDs should suffice. (And equivalently, any random value with at least 122 bit of entropy will, too.)
You might want to also look into the related topic of cross site request forgery prevention.
You should properly handle post view request . In your PHP check every time post is viewed separately that the post is shared_with a particular or non login users.
But that will be a complex users basically you can also use long sha1 or md5 encryption and store that hash in a separately column and you can also update hash timely using crone jobs. As a user can't guess other posts hash by using one post's hash so according to your current implementations hashing user_id and storing them in db is nice idea and you can also set the hash column unique in your db table. No decryption of hash is required as they are not decrypt-able and you can directly compare them in where cluase while processing like and comment request.