So I was testing my application for some vulerabilities and found one that I missed:
<input class="hidden" type="hidden" name="event_id" value="{{$event->id)}}">
this puts the ID of the current event during the checkout into the database. Of course this would allow a malicious user to change its value and change the booked course. I found some postings on SO that said to encrypt and decrypt the values of the hidden input to prevent abuse: https://stackoverflow.com/a/29516318
So I did that:
<input class="hidden" type="hidden" name="event_id" value="{{Crypt::encryptString($event->id)}}">
and in my Laravel controller I do:
// Store data in database
$checkout = new Checkout();
$checkout->event_id = Crypt::decryptString($request->event_id);
$checkout->quantity = array_sum($request->ticket);
$checkout->firstname = $request->firstname;
$checkout->lastname = $request->lastname;
$checkout->email = $request->email;
$checkout->phone = $request->phone;
$checkout->save();
I tested the "vulnerability" and it threw a Invalid MAC
error. So my question would be, this is enough?