I am working on a website in which there would be functionalities to update and delete data on the basis of id. Now the thing I am worried about is like my url would be
www.example.com/public/controller/action/1
if the action would be delete, any person can change id from 1 to 2 in url and the data with id 2 would get deleted. What would be the best way to keep the flow secure. I am using Zf2 and Doctrine2... Any suggestions please !!! And moreover I am keeping ids hidden in fields, anybody can use firebug to change the value in fields, is there any way to protect data from that too?
Would any encryption-decryption way would make it secure, like if anybody even edits the encrypted value, after decrypting it would not result in a required id? Which one would be good?
You should worry less about what happens when people change parameters within the URL or try to hack something into your HTML (hidden fields), as much more you should worry about what your users are actually allowed to do.
If an admin is allowed to delete all posts for example, then it doesn't matter if he changes domain.com/post/delete/1 into domain.com/post/delete/42. If admins are supposed to delete everything they can. So let them just change it as much as they want to.
If admins however are only allowed to gain administrative privileges to their own entries, then you need to work this into your Service-Layer. The Service-Layer would check for permissions of the current user against the currently requested object. My personal favorite would be ZfcRbac.
If however you want to make it more difficult for people to actually change IDs, then you should give every entry a unique hash. So for example the url would be domain.com/post/delete/12acd-4a7f7c6-4a7f7c6-12acd-4a7f7c6 or something like that.
TL/DR don't worry what happens when people change stuff within the URL/HTML, simply worry about Authentication and Permissions in general.