I have been told its kind of a bad idea to use a key as an attribute of an xml t

Question

I have been told its kind of a bad idea to use a key as an attribute of an xml tag. I find the very handy for ajax as i can just stick the key i need in what ever element is being clicked,changed, or whatever. I can see how this is a security risk but have only used the tactic in internal apps.

On external application/sites what would be a better way to handle this. I would assume just embedding another unique field that isn't numeric.

Basic example... I have a button than when pressed would update the price of an item in the database. Then using JS on button press i would take the id and pass it back to the controller to update the item.

Explanation / Answer

I don't see a problem with that per se.

The controller should validate the request anyway, if a user doesn't have access to something it should be stopped there.

For example,

page.php?action=updateAddress&id=7
Obviously you want to make sure the request is coming from someone who is allowed to modify ID 7 once you receive it, also a user who can edit the record ID 7 might not have access to edit the record ID 8.

You almost certainly don't want to start litering standard HTML with a bunch of keys like

<form ...>
<input type="text" id="addressL1" name="addressL1" value="123 xyz blvd" addressValue="123 xyz blvd" addressID="6">
</form>
If you need them in a form, pass them as hidden fields with their own IDs.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.