1

I'm creating a website with a catalog, trading system, and custom currency (In Laravel).

I have the catalog and custom currency completely done (at-least to far), it's just the trading system. I'm so close to having the trading system done, except for this one thing that keeps holding me back, even though I think it should be pretty simple to do.

Each catalog item has a unique ID (in the database called uid), and the trading system Trades items based on the unique item id.

Here is the Trading Page for reference. I have it to where if you click the checkbox on an item you want or want to give away, it sends all the uid's you checked into one array (Note: I have 2 seperate arrays, one for the offering items, and one for the requesting items).

But the way I have it right now is that it gets each Item uid based off a form input. Since I don't want users being able to edit items unique ID, I need a way to do this in the backend. I've tried researching but I haven't gotten too far with that.

I'm kind of new to laravel and making websites as a whole, so I don't really know how to go forward with this. I'm thinking I will have to use JavaScript, but I don't know how to send information to the controller using javascript. I've also heard encoding then decoding the values but I have no idea how to do that either.

HTML Code (Offering Side):

@foreach (Auth::user()->inventory()->paginate(9999) as $itemb)
                        <form class="form-horizontal" method="POST" enctype="multipart/form-data" action="{{ route('trade.s', $user->id, [$itemb->uid]) }}">
                        {{ Form::token() }}
                        <?
                        $itembb = $itemb->item_id;
                        $item =  Item::whereid($itembb)->first();
                        $yoyo = $item->selling()->orderBy('price', 'asc')->first();
                        ?>
                        @if ($item->limited == '1')
                        @if ($item->rbp()->count() > 0)
                        <div class="col-md-4" style="margin-top: 8px;display: inline-block;padding-left: 10px;">
                        <a>
                            <div class="card-body h-100" style="padding-top: 0px;padding-bottom: 0px;padding-right: 0px;padding-left: 0px;">
                        <div class="card h-100" style="border-radius: 0px; width: 120px;">
                            <img style="object-fit:cover; width: 100%; height: 50px;" src="/public/uploads/catalog/{{$item->image}}">
                            <span class="badge badge-success limited">Limited</span>
                            <div class="card-body" style="padding-bottom: 10px;padding-right: 10px;padding-left: 10px;padding-top: 10px;">
                            <h6>{{$item->title}}</h6>
                            <img style="margin-bottom: 2px;" src="{{ asset('public/img/nau.png') }}"> {{number_format($item->rbpp)}}
                            </div>
                            <div class="card-footer" style="padding-bottom: 0px;padding-top: 10px;padding-right: 0px;padding-left: 10px;">
                                (Getting uid value for each item checked)<input type="checkbox" name="out_data[]" value="{{$itemb->uid}}"> <label>Trade?</label>
                            </div>
                     </div>
                    </div>
</a>
</div>
                        @else
                        
                        @endif
                        @else
                        
                        @endif
                        @endforeach
                    </div>

Any help is very appreciated! (Sorry if my post is messy, please tell me if I need to put more code samples.)

Improve this question

2 Answers 2

Reset to default
1

From what I understand your fear is that people will modify the UUID of the item and try to "sell" another item that do not have. If that is the case you should not work on the form itself, but on the security in the backend. That is:

  1. receive an item UUID for sale (or an array of items)
  2. !important! check that each of the items' UUIDs belong to that particular logged in user.
  3. if the all of the items belong to the user a) if they ALL belong to the user -- store them in the db as "selling" for that user. b) if even one item does NOT belong to the user - return a validation error. They should not be able to store items for sale that they do not have.

From what I read it seems you're skipping step 2. where you check the UUIDs you receive from the form.

Changing the html form to be somehow "unchangeable" would be pretty much impossible so work with your limitations, not against them. :)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This makes a lot of since now that I'm thinking about it lol, thank you I will try this now.
I have a question actually. I was researching, and I just wanted to make sure. Could you accomplish this using array_intersect? I can get the users inventory, and from there get the uid's in the users inventory. But when I try to execute it, it returns an Array to string conversion error.
if your array of UUID-s looks like $arrayOfUUIDs ['abc-xlx-lks-123', '...',] you can just do if( ! in_array( $uuidStringFromForm, $arrayOfUUIDs) ) { abort('wrong uuid'); }
nice! happy to help
0

Can you just include a hidden form input for each of the items which holds the uid? e.g.

<input type="hidden" name="uid" id="uid" value="{{ $item->uid }}">
Improve this answer

1 Comment

I've tried hidden inputs, but I was still able to edit the values via inspect element.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.