How to store id on hidden value in secure way

Question

I am facing a problem. I store the id in hidden value like

<input id="send" type="submit" value="Save" class="btn btn-success">
<input type="hidden" value="update" name="action">
<input type="hidden" value="$ticket_id" name="ticket_id">

When user clicked crtl+shift+i they can see the code like

<input id="send" type="submit" value="Save" class="btn btn-success">
<input type="hidden" value="update" name="action">
<input type="hidden" value="40" name="ticket_id">

And if they change the ticket_id 's value to another number, that will update another ticket's information, but my system structure is to allow updates by the person who posted the ticket.

So how can I solve this problem? Please give some advise.

Update
I will check the user id before update and use mcrypt_encrypt() and mcrypt_decrypt().
This is my current code

$secret_key = "fd4f8dasdjia5s5fd856d2s2";
#Create the initialization vector for added security.#
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
#Encrypt $string#
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $ticket_id, MCRYPT_MODE_CBC, $iv);
<input type='hidden' value='$encrypted_string' name='ticket_id'>

This is what i saw on client side

M�l ���e�/^�u�&22�)L�w�X�

This is the code when i decrypted the ticket_id

$secret_key = "fd4f8dasdjia5s5fd856d2s2";
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
         $decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $ticket_id, MCRYPT_MODE_CBC, $iv);
         echo $decrypted_string;die;

But I get this when I echo $decrypted_string
~~��+A�W�����hA%l��JYT�YY���͝��j0K1�r-�R�SZ��zE�h�tLQ8�

I didnt get 40, why?

Answer 1

You have to verify server side that the user own the ticket, so for example with a SQL query :

"SELECT * FROM ticket_user WHERE user_id = :user_id AND ticket_id = :ticket_id"

If its return a row then you can process to the update else throw an error.

In addition to that you can also encrypt/decrypt the ticket_id.

Answer 2

1. Use access controls and application logic. Only let a user access resources they have explicit permission to access.
2. If you need to prevent a form attribute from being tampered with, also include a MAC.

<?php
    $id = 40;
    $some_long_secret_key = 
        "\xc4\x28\x06\xca" . "\xaa\x9c\x45\x66" .
        "\x61\xdd\xeb\x40" . "\x13\x59\x86\xb6" .
        "\xbb\xe6\xeb\x13" . "\x56\xdc\x17\x8d" .
        "\x5f\x4e\x3b\x79" . "\x1e\x98\x28\xb3";
?>
<input type="hidden" name="id" value="<?php echo intval($id); ?>" />
<input type="hidden" name="id_mac" value="<?php 
    echo hash_hmac('sha256', $id, $some_long_secret_key); 
?>" />

Also, before you implement any of the encryption suggestions, read this piece on url encryption. TL;DR don't do it.