Forms, Security, and Action tags - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21) +--- Thread: Forms, Security, and Action tags (/showthread.php?tid=13636) |
Forms, Security, and Action tags - El Forum - 11-30-2008 [eluser]gullah[/eluser] Hello everybody, pretty simple quick question. I'm looking for the most secure way to have users submit data from a form. Hidden variables can be changed in the browser so that doesn't seem to really work. What I'm wondering is if this could be beaten. bad guy wants to edit something that is considered 'locked' and has the id of 35 So they go to a page that isn't locked and has the id of 36 and isn't locked. This form has the action set as '/users/edit/36'. Would it be possible for an attacker to change that form action and how can I prevent this or guarantee that this is the form that they should be editing. Thanks in advance Drew Forms, Security, and Action tags - El Forum - 11-30-2008 [eluser]Thorpe Obazee[/eluser] Identify them and give users privileges. Have them only access the id that they can edit. Whenever they access pages that they shouldn't have access, don't show them anything except a, 'you're not allowed here' page. Forms, Security, and Action tags - El Forum - 11-30-2008 [eluser]gullah[/eluser] I have user authentication and users are only allowed to edit certain things yes. What I'm worried about is them altering form data to edit something else. The site I'm working on is a community site and how I have it set up now they can edit generic items and they would have the form action of songs/edit/[id]. I am curious if someone could alter the action to edit a different song for example. Forms, Security, and Action tags - El Forum - 11-30-2008 [eluser]gullah[/eluser] Turns out yes, yes you can with a Dom inspector, so basically I need to come up with a database flag or something to say if they are editable. Forms, Security, and Action tags - El Forum - 11-30-2008 [eluser]Thorpe Obazee[/eluser] [quote author="drewtown" date="1228119930"]Turns out yes, yes you can with a Dom inspector, so basically I need to come up with a database flag or something to say if they are editable.[/quote] Yep. using a database flag is the way to go. Forms, Security, and Action tags - El Forum - 12-01-2008 [eluser]Future Webs[/eluser] what i do in this situation is .. and im guessing that you have the users id stored along with the data that is being edited. first up, when the page loads cross reference the users id from the session with the users id of the data being edited. if they dont match dont show the form and either redirect or show a notice of "your not allowed here, your IP has been logged etc" I would also not store the users id as a hidden field in your form as people could see that in the source and maybe change it. Instead do this in the model or controller wherever you are building the array to pass to the update. Nobody has access to the model or controller and the array is not listening for any POST values for the users id and instead takes them from the session The less you put in the form the better. If you can hard code it into the controller or model rather then passing it back and forth as a POST the less chance there is of anything being changed that should not be Forms, Security, and Action tags - El Forum - 12-01-2008 [eluser]Michael Wales[/eluser] You say you already have a user authentication system ensuring they have access to view the current edit form, let's say: /users/edit/36 If you make the form submit to itself (/users/edit/36) you can kill two birds with one stone. First, you are removing the hidden form field with the ID - you can now use the ID from the URL. Secondly, your authentication testing for that user accessing that particular controller method will prevent them from altering other records. A code example: Code: function edit($id = NULL) { Forms, Security, and Action tags - El Forum - 12-01-2008 [eluser]gullah[/eluser] Thanks for the replies but I'm afraid Michael what you were suggesting is what I'm trying to avoid. I had the form action set like that and it is possible to change that. I left the action with the id in it but I added security in the function, here is what I did. let me know if you see any problems with it. Code: function lyrics() |