通过href发送数据获取Route Methode

Question

I build get Methode route to store data via controller in a mysql database. Here you can see a part of my view

@foreach($groupsrequest as $grouprequest)
        <a class="btn btn-primary btn-block" href="{{ route('mgmtgroups_approvel', ['idgroup' => $grouprequest->idgroup, 'iduser' => $grouprequest->iduser]) }}">               
            Gruppe <strong>{{$grouprequest->group_name}}</strong> Anfrage von User <strong>{{$grouprequest->username}}</strong>
        </a>
@endforeach

And this is my web route file which pass the data to controller where the data is going to store into the mysql db.

Route::get('/home/groupmgmt/approvel', 'GroupController@setGroupApprovel')->name('mgmtgroups_approvel');

Now my problem, after i clicked on the a href button I get the following url

http://localhost:8000/home/groupmgmt/approvel?idgroup=18445&iduser=123

and i can change the url parameter and press enter and then data will be stored. But this cannot be correct, because I am able to store fake data in the db. I can for example create userid which not exist. How to do this in the right way that this is not possible and only data which are shown in the view before can be stored in the db?

Answer 1

You can use exists validation type of laravel to validate existence of user ID.

BTW, if the ID is ID of logged in user then you don't need to pass it via query parameters, you can just get it using Auth::id() function of laravel.

Also I suggest you to use POST method instead of GET and add csrf token to the request to improve the security. Also you should validate the request to make sure nobody can insert invalid data to the database. For example if this is a registration approval script, you should make sure that the given ID is requested for registration on group otherwise you should show an error to the user.