Currently I'm using a form to post a "comment" and save it in the database there are two hidden fields, one to check what component the comment is made on and the other hidden field is the comment number. But I found a exploit in my own form. If I go into the developer console I can change them to either crosspost the comments to a other form, or to something that doesn't exist, this doesn't really matter, nor the fact that I can change the number the comment is, because it still works properly if there's a comment with the same number.
<form action="/index.php?option=com_comments&view=comment&row=<?= $row ?>&table=<?= $table ?>" method="post">
<input type="hidden" name="row" value="<?= $row ?>" />
<input type="hidden" name="table" value="<?= $table ?>" />
<textarea type="text" name="text" class="control control--textarea control-group__control" placeholder="<?= translate('Add new comment here ...') ?>" id="new-comment-text"></textarea>
<br />
<input class="leader btn btn--theme control-row__trigger" type="submit" value="<?= translate('Comment') ?>"/>
But the issue is that when I go to the console and I add and then submit the form I can actually override the value and post as that I'm someone else. Which is obviously not intended behaviour to be able to post as someone else. I can't seem to find a way to validate the value of created_by before the post is being send, because if I put it in a hidden input field too it can be changed just as well. What can I do to make this secure?
EDIT: The posting is done automatically and I literally can't change anything about it because of the Framework we're using. And it overrides the proper default behaviour. A better way to phrase my question would be, can I prevent a user from adding a extra hidden input field to post extra values? Should I post form post check everytime if the post includes a created_by and if it does change it to the current profile_id?
Malicious code changed via developer console
<form action="/index.php?option=com_comments&view=comment&row=2&table=blogs_blogs&created_by=6" method="post" class="ng-pristine ng-valid">
<input type="hidden" name="_token" value="a0b15d3664d7bc0e0e40675095fec014">
<input type="hidden" name="_token" value="a0b15d3664d7bc0e0e40675095fec014">
<input type="hidden" name="row" value="2">
<input type="hidden" name="created_by" value="6">
<input type="hidden" name="table" value="blogs_blogs">
<textarea type="text" name="text" class="control control--textarea control-group__control" placeholder="Add new comment here ..." id="new-comment-text"></textarea>
<br>
<input class="leader btn btn--theme control-row__trigger" type="submit" value="Comment">
</form>
Rule #1 in web application security: Never trust the client
If the user is logged in, store the user's id in the session and only use that identifier to store his/her records in the database.
Plus, you should implement a mechanism to prevent CSRF (cross site request forgery) in your form. Because I can't see that it does.
You can use session or cookies together with database
[php]
$userHash = $db->prepare('SELECT user_hash FROM user WHERE id = :uId')->scalar([':uId' => $this->getUserId()]);
if (!empty($_SESSION['userHash']) && $_SESSION['userHash'] == $userHash) {
// process form
// generate new user hash
} else {
die('!HACKER!');
}
Instead of user ID you can use session ID.
I fixed it by adding this check to the behaviour that's applied before it's actually posted to the server
public function createdbycheck(Library\CommandContext $context)
{
$context->request->data->created_by = null;
}
Just sets it to NULL, and then it's handled by the default behaviour.
Related
I'm currently working on at the displaying of information from a database. I was making a summary site where you can only see the important things of a table. After that i made the first element as an <input type="submit"> in a <form>, so u can click it and come to the detail site. My problem is now: The value of this input type has to be my ID, so i can query correctly on me detail site. I was wondering if it is possible to use something like a placeholder, so that the ID is the value, but on the input type is written other text.
My input:
<form method="post" action="Details.php">
<input type="submit" placeholder = "test" name="Overview" onclick="parent.location='Details.php'" value="<?php echo $data[$i1]; ?>">
</form>
How it currently looks
I want it that the input type still has the same value, but is displaying on the website something else like "test".
Greetings!
No, but buttons can have different values and labels.
<button name="foo" value="bar">baz</button>
Since you are using a form-tag per row, you can add a hidden input-field in the form and set the value of the submit-button to whatever you like.
<form method="post" action="Details.php">
<input type="hidden" name="id" value="<?php echo $data[$i1]; ?>" />
<input type="submit" name="Overview" value="test" />
</form>
I am using the value of search form Director1 to auto input in the value of "director_id_1" in the form CompanyDirectors, it is working.
However, if I use search form Director2 to auto input in the value of "director_id_2", it is working but meanwhile the value of "director_id_1" will be empty again.
So, how can I keep the auto input value of "director_id_1" after search Director2 ???
The below code is saved in the same page: Director.php
<h2> Company Director(s) - Input</h2>
<hr style="border: 1px dotted #2c1294;">
<form name="Director1" action="" method="POST" accept-charset="UTF-8" >
<input type="text" name="QueryDirector1" />
<input type="submit" name="DirectorName1" value="Search Name of Director 1 to input ID" />
</form>
<form name="Director2" action="" method="POST" accept-charset="UTF-8" >
<input type="text" name="QueryDirector2" />
<input type="submit" name="DirectorName2" value="Search Name of Director 2 to input ID" />
</form>
<hr style="border: 1px dotted #2c1294;">
<form name="CompanyDirectors" method="post" action="Director_insert.php" accept-charset="UTF-8" >
<b>ID of Director 1:</b>
<input type="number" name="director_id_1" required="required" value="<?php echo $director_id_1; ?>" >
<br>
<b>ID of Director 2:</b>
<input type="number" name="director_id_2" required="required" value="<?php echo $director_id_2; ?>" >
<br>
<input type="submit" name="submit" value="Submit">
</form>
Thank you very much for your help & support first !
If your question (which I find very hard to understand) is:
I want anything already submitted on the first form (Director 1) to be maintained upon submission of the second form (Director 2), and vice versa. How could I achieve this?
Then my answer would be use sessions or the database for persistence.
If I am understanding your question correctly, you do not understand that HTTP requests are (by nature) stateless. In other words: when you submit any form data, it is processed server-side and then ceases to exist. The "state" then disappears.
You could cache the submitted data temporarily in a $_SESSION[...] variable, or you could store it into the database (and retrieve it back out) or use HTML5 storage in the browser or do something less elegant like use hidden HTML inputs in the second form. (Or just use one form.)
Some useful links:
http://www.w3schools.com/php/php_sessions.asp
http://php.net/manual/en/session.examples.basic.php
https://en.wikipedia.org/wiki/Stateless_protocol
So for example:
<?php
session_start();
if (isset($_POST['DirectorName1'])) {
$_SESSION['directors'][1]['name'] = $_POST['DirectorName1'];
}
if (isset($_POST['DirectorName2'])) {
$_SESSION['directors'][2]['name'] = $_POST['DirectorName2'];
}
Then print the values from $_SESSION rather than $director_id_1 etc.
It's hard to help without a full copy of your code.
I have a form for asking information about courses , every course has it page, but the information page is one for all.
The form should be something like that:
<form action="#" method="POST">
<label for="name">Name</label>
<input name="name" type="text">
<label for="email">Email</label>
<input name="email" type="email">
<input type="hidden" id="code" value="<?php echo $course_code; ?>">
<input id="submit" type="submit" value="Invia" />
</form>
I wish to change the var $course code according to the referrer page. (With a $_GET var)
I tried "Shortcode Exec PHP" plugin to execute php in wp pages, but doesnt work.
When you POST the form, the variable won't be set in $_GET but in $_POST. It's either one or the other, so if you want to read the $_GET var, you must also use GET on the form, like this:
<form action="#" method="GET">
<label for="name">Name</label>
...
(this is what Fred commented on, but I couldn't expand upon that comment due to my low rep)
I was wrong to use "Shortcode Exec PHP" plugin.
I set a shortcode:
$course_name = $_GET['cn'];
$courses= array("courses1","courses2","couses3");
if (in_array($course_name, $courses)) {
echo $course_name:
}
and the in the wordpress page can be used the name of the shortcode
[couse_name]
Now its work!
You can just use $_REQUEST so it doesn't matter if its a POST or a GET from the form. But I wouldn't use GET from a form unless it was a search or something where the user could bookmark the url and see the result. Mostly use POST for all other instances.
HTML form...
<form method="post">
<label>Name<br>
<input type="text" name="name">
</label>
...
<input type="submit" value="Invia">
</form>
PHP page that handles the form...
<?php
// $_REQUEST will contain POST, GET & COOKIE
echo $_REQUEST['name'];
?>
I've created a photo competition where when users see themselves in a photo they click the (I'm in this photo) callout.
This pops up a form for them to fill in. I've had no problems collecting the data from the form and saving it to a database.
My issue is that I need to be able to reference the photo that they were in.
Firstly I need to transfer the photo name/id from the first page to the second pop out Competition entry form page, and from there I need to be able save both to the database.
Any suggestions? I've tried using a session variale to call the photo name/id from the first page to the second.
Any help will be greatly appreciated.
UPDATED CODE:
Page 1: Photo gallery sample. Tried hidden form fields to call data, but obviously it doesn't call the photo info from those hidden fields.
<li>
<a class="thumb" name="007" id="007" href="images/9133440_DSC_0087.jpg" title="Title #6"><img src="images/9133440_DSC_0087_thumb.jpg" alt="Title #6" /></a>
</li>
</ul>
</div>
<div id="inphoto">
<img src="assets/inphotobutton.jpg">
</div>
Page 2: Competition entry page with form.
<div id="form">
<form name="epcomp" id="epcomp" method="GET" action="form.php" >
<p class="name"><label>Full Name:</label><br/> <input type="text" name="name" id="name" value="Your Name" onblur="if(this.value == '') { this.value='Your Name'}" onfocus="if (this.value == 'Your Name') {this.value=''}" maxlength="30" required/></p>
<p class="email"><label>Your Email:</label><br/> <input type="email" name="email" id="email" value="Your email" onblur="if(this.value == '') { this.value='Your email'}" onfocus="if (this.value == 'Your email') {this.value=''}" maxlength="60" required /> </p>
<p class="entry"><label>Your favourite festival moment: <span style="font-size:10px;">(Max 50 words)</label> <br/>
<p><textarea cols="40" rows="5" name="entry" id="entry" onfocus="if(this.value==this.defaultValue)this.value='';" onblur="if(this.value=='')this.value=this.defaultValue;" maxlength="50" required>Enter you answer here...</textarea></p>
<p class="button"><input class="button" type="submit" value="Enter Competition" name="formSubmit"/></p>
<?php echo '<input type="hidden" name="photoId" value="' . $_GET['imageID'] . '">' ?>
</form>
Page 3: My form data page.
$imageID = $_GET['imageID'];
$varName = $_GET['name'];
$varEmail = $_GET['email'];
$varEntry = $_GET['entry'];
$query = "insert into comp_entry (imageID, name, email, entry) values ('$imageID' , '$varName' , '$varEmail' , ' $varEntry')";
$qresult = mysql_query($query);
There are no values in input tags.
<form method="POST" action="compentry.php" onClick="wopen('compentry.php', 'popup', 448, 590); return false;">
<input type="hidden" name="photoName">
<input type="hidden" name="photoID">
<input type="image" src="assets/inphotobutton.jpg" name="submit" value="" class="submit" alt="Submit">
</form>
You may:
Insert a get value <form method="POST" action="compentry.php?imageid=<?php echo ...; ?>" and retrieve it in the 2nd form
Insert a post variable using <input type="hidden" name="photoId" value="..."> (you forgot the value tag).
Using POST in your example is yet not possible as you have no submit button. Instead of <input type="image" you need input type="submit". But submitting will not open another window, so you need to pass the variable other way.
Therefore I would stay in the 1st option, no <form> is however required, so make the code like this:
<a href="#" onclick="wopen('compentry.php?imageid=<?php
echo $imageID; // here goes PHP code
?>', 'popup', 448, 590); return false;">Click to open form</a>
In the competition form you know what picture you're about by using $_GET['imageid'].
EDIT
You need to decide how you want to achieve your goal. If you use form you can pass parameters by get or post method. However, you can also pass your variables with get method putting them into the URL.
Because the second way is simpler, I told you to remove the entire form tag and pass your image id by calling this site in a tag's onclick event, but you can choose any tag you like (I suggest to use that div from your first comment).
This calling is being done when I open the page in this line onclick="wopen('compentry.php?imageid=***', 'popup', 448, 590);, where you need in place of *** insert your image id. I proposed PHP echo function and this is how it's usually done.
Your 1st page requires nothing more. Clicking on the element will make popup and send request to the compentry.php passing the imageid variable by get method. The same would be if you make a form, method get, action compentry.php, hidden input field "imageid" value . You can see that calling the URL compentry.php?imageid= is much simpler than all this form stuff.
That's all -- when you are ready you must code the popup page. This is your second comment. This image id is to be retrieved by $_GET["imageid"]. So if this is also a form having however many fields, here the post method (not get) would be recommended.
So this line
<input type="hidden" name="photoId" value="photoID">
should look (in PHP) something like
echo '<input type="hidden" name="photoId" value="' . $_GET['imageid'] .'">
You need to put the image id you got from the 1st page by $_GET["imageid"] to the HTML of the 2nd page so that you can send it further to the last page.
Summary
The photo gallery uses <div onclick="wopen('compentry.php?imageid=***', 'popup', 448, 590);">. Code marked with *** is inserted by PHP and contains image id.
User clicks this div, JavaScript works, opens new pop-up window and the browser says: please send me contents of this page compentry.php?imageid=***
The server opens your compentry.php, draws a <form action="form.php" method="post"> (or get if you prefer)
Drawing HTML it encounters <input type="hidden" name="imageid" value="####"> where it is required, that in the place the server (PHP in fact) will echo contents of what is in $_GET['imageid'] what it received from photogallery.
User clicks submit button and the form is submitted. Among variables he entered there is a hidden one imageid, which has the same name (might have different, no problem), but the same value as in the photo gallery.
The file form.php receives all variables as new ones.
I have a text box which picks up a value from my database and is a read only text box. it contains some information which i want to send to my datbase but nothing is being recorded. Once the textbox isnt a read only, the data is successfully stored. Is there any way i can keep my textbox disabled and still send the data to my database?
<form action="refnoadded.php?public=<?php echo $id; ?>" method="post">
<span id="sprytextfield1">
<input type="text" name="ref" value="<?php echo $newpass ?>" disabled />
<input type="button" onClick="history.go(0)" value = "Generate Reference">
<br />
<span class="textfieldRequiredMsg">Reference Number Required</span>
</span>
<br />
<input type="submit" value="Add Reference" />
</form>
any ideas?
disabled doesn't send data to server
use
<input readonly value="my value" name="myname">
HTH!
have the data in a second hidden input:
<input type="hidden" name="ref_hidden" value="<?php echo $newpass ?>" />
the user won't see the difference and you will get your value send when submitting the form.
Disabled textfields don't submit their information to $_POST or $_GET. You can simply use the form element
<input type="hidden" name="rev_hidden" value="<?php print $password; ?>" />
This is the standard (correct) way to pass hidden information in the form.
Another use for this element is if you want to pass a "formsubmitted" variable.
However, if you want to create a value and have it uneditable by the user, do it on the server side. Create the value when you create the database, since users can relatively-simply send other data in the place of what you've generated.