Keeping data update safe

Question

I have seen many websites (including SO and my websites) to store rows id of data extracted from database in a HTML attribute. I know that it can be edited by the user at client side and maybe sent to server-side to update the data according. Take this query as example and remember, it is for upvoting comments:

SELECT comment_id, comment FROM comments

A normal person will do the printing like this:

<td data-commentid="<?php echo $row['comment_id']; ?>"><?php echo $row['comment']; ?></td>

and the output:

<td data-commentid="1">+1, beat me to it.</td>
<td data-commentid="2">Damn! What is this?</td>
...

When it is displayed to some hacker type user, he will try to edit the commentid with something like 250 and will click upvote button and our innocent script will accept it and will upvote the other comment with id 250 although it was visually for comment with id 1 or 2.

Question :

Is there any way to get rid of this? You can turn your console on and inspect SO also when you change its attribute referencing to comment important information, it seems to update the db with the updated attribute's id.

Answer 1

That isn't actually an attack.

There is no difference between performing your "hack" and actually viewing comment #250 and upvoting it.

If the user changes the ID or action to something he isn't allowed to do, you must use server-side authorization / access control to deny the request.

In short:

Never trust any information provided by the client.

Always verify that the input makes sense, and that the user is allowed to take the action.