Im developing a PHP webapp which have user profiles to create & modify & delete (you know)
When I modify I profile I send the $userID to the PHP page and then I load all the user data. That $userID is store into a hidden input because I need it to launch the UPDATE query after submit.
I have noticed that user can press F12 and change that userID to another one and could modify (or delete) other user profile.
Sorry if is a stupid question, I suppose that this is a common problem in forms submitting, but I don't know how you face it (what is the most secure strategy in this case).
Please help :-)
You should not expose a sensitive ID/data. there is no "security" practice doing that.
you should use a session variable, as @cmrrissey suggestion
@session_start(); #at before any outputscript $_SESSION['userID'] = $senstiveId;
Also, You should not rely on the frontend validations. you must re-check/validate on your server, what is your end user sending to you.