I am looking for a 'best practices' approach to avoid placing database ids in my forms (either as hidden variables or in my query strings).
With tools such as firebug, it becomes easy for someone to change a hidden form value and submit against some other record in the database.
The only thing I can think of is to have a database column that houses a UUID and use that in my forms, but I don't think I want to use UUIDs throughout my system since I'd rather leverage my database id's rather than UUIDs...
I'm coding a new app from scratch (Struts 2, Spring, Hibernate), so the sky's the limit.
Just a thought, you could keep your DB IDs in your session object, associate them with some alternate ID, then put the alternate ID in the form. When the next request came back from the client you would have to translate the alternate keys back into the actual DB IDs (Probably using a hashmap to do the translation). You could make some framework utilities to ease generating the alternate IDs and translating them. Maybe a custom tag that would generate the alternate key, put it in the hashmap with the real ID, and then write the alternate key out in the html for the hidden tag. Actually, for the value of the hidden field, you could just set it to the name of the hidden field. Then you could write a struts2 interceptor that would loop through the hashmap (which would have the field name as the key and the actualy DB ID as the value) and use the key to do an OGNL look up to find the right varriable in your action class and then set it to the value from the hashmap. Actually, your custom tag wouldn't even need to generate any html if you did it this way.
Like I said, just a thought. Maybe there is a tool out there or part of a framework that will do this automatically, but would think this would allow you to avoid relying on the database IDs that are returned by clients.