| Javascript/Html Server side verification |
|
Hi all
ive been playing around and have a question that i just cant find a good answer. I have a HTML and send it to my controller through javascript. i have values in data-attributes I have just realised that if i change a value of a data-attribute using google inspector and then click send this will be the value used. So if i use a users ID in a data attribute ie data-userid="1" and example delete this user when i click on the send button through a javascript function user 1 is deleted well flaged as deleted as my users dont have delete permission If change the data-userid="15" in the inspector the user 15 will be deleted once i click on the button I have thaught of using some sort of hash or crypt on the user ID and have that in my data-userid="tre43sdf5486zrs6f46sg" like this is there a better way around this thanks hope im clear 
I personally would check permissions on the server side with usergroups / roles.
So when I am logged in as Administrator group / role, I have permissions to delete users. Am I an content editor? then I can not delete users (even if I know the route to the controller). (02-21-2018, 05:54 AM)Krycek Wrote: I personally would check permissions on the server side with usergroups / roles. great thanks that i have done. first thing i do is check if its an ajax call then i get the logged in user id and check if user is logged in and has permissions but most users have the same permissions (ex. members) so they could alter information of one user via the html just by changing the values via inspecter. lets say i have a friend suggestion. <div id="suggestionid" data-suggested="123" > where 123 is the suggested user id i get the data-attribute via javascript and send it to my controller but what if the user changes 123 to 178 178 will be the value sent to the controller so how do i check this before taking action on the sent data this is just a simple example but im sure users doing this will be able to manipulate a lot more
There's isn't a way from preventing someone from taking pot-shots at your data. But you can obfuscate whats going on.
https://paragonie.com/blog/2015/09/compr...ion-in-php You might want to consider using session data to pass sensitive info like user id instead of passing it in a url. (02-21-2018, 06:40 AM)daveĀ friend Wrote: There's isn't a way from preventing someone from taking pot-shots at your data. But you can obfuscate whats going on. Ok sounds good what im thinking is creating to send a crypted version of the user id instead using $this->load->library('encryption'); this gives a huge number but a user wanting to try change that value wont be very successful then when data is sent i can decrypt the value and check it up agaisnt the value in the db what you think and is there a way to have shorter encrypted responces?
Go back a read the article I linked. It's about why you DON'T use encryption in URL parameters. Instead you use a "random lookup" value.
You can make it shorter but that means there are fewer unique values raising the odds of a conflict and making it easier to use brute-force techniques. (02-21-2018, 08:01 AM)daveĀ friend Wrote: Go back a read the article I linked. It's about why you DON'T use encryption in URL parameters. Instead you use a "random lookup" value. ok great read it trough makes sence thanks alot for your help |
| Welcome Guest, Not a member yet? Register Sign In |
