What's the Problem?
Primary Key is present in Url so the data for other records can be seen easily by easily changing the Url.
Rendered html has hidden field present. Anybody can easily change other records based upon this Hidden Field.
When I edit the page. My Url looks like below.
http://localhost/Category/3
and Below is the rendered Html
<form method="POST" action="http://localhost/UpdateCategory" accept-charset="UTF-8">
<input name="_token" type="hidden" value="AmAXKmqtct6VOFbAVJhKLswEtds4VwHWjgu3w5Q8">
<input name="CategoryID" type="hidden" value="3">
<input required="required" name="Category" type="text">
<input class="btn btn-success" type="submit" value="Update">
</form>
Please suggest some Url and Form security in Laravel 5.1
There are many worksaround which shall by handled by us to avoid such incidents.
Fix 1 :
If you don't want to reach the user's by just changing the url
(i.e., Directly passing the id in url )
You shall filter the requests by
if($_SERVER['HTTP_REFERER']!='')
{
}
else
{
exit;
}
You shall have this in your Middleware or even in your view if you wish
Fix 2 : Never worry about the _token that is visible when you see form source
It is just the token that is generated by laravel app which is to identify whether the request is from authenticated source or not.
If you edit the token and pass the form you will surely get CSRF Token Mismatch Exception
Infact this is one of the great feature of Laravel.
Interesting Point : You can also find something in the headers of the browser ;)
Happy using Laravel ;)
Related
Hello: I have done tons of html forms in wordpress and am now trying to do the same in laravel. The problem is with submitting the form; it is not going to my destination or passing the post variables as I would expect. (i am getting errors on the loading of the page).
I know it has something to do with the "routes" and possibly also CSRF? (been reading a lot on this and seeing all kinds of info
I have seen things about using Laravel to build a form "open form/close form" but I am trying to find a way to just use an html form
I have the default laravel installed with nothing extra...
I tried adding a "post" route but that did not help...
here is what i have now:
this is from my routes.php file:
Route::post('gz_form', ['as' => 'gz_form', 'uses' => 'cont15_gzap#gzap_cont_function']);
here is the top of my form:
<form method="post" autocomplete="off" action="{{ route('gz_form') }}" >
<input name="_token" type="hidden" value="{{ csrf_token() }}"/>
<input type="hidden" name="gc_post" value=2 />
(I threw on that token input as some people suggested that...)
Anyway - I am hoping someone can help me with this...
you have to check your route method .. is it post or get .. and check if your route named already or not ..
Route::post('/gz_form', 'YourController#handler')->name('gz_form');
while you using {{ route('gz_form') }} you need to name it
I was able to get this to work using both of your inputs - but once i had it down to the token mismatch - i finally got it to work by changing the input on my form to:
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
i found that somewhere and by doing that the token mismatch went away...
But thanks for your help guys - getting this to work took more than one step and so your help was needed and helpful...
I've got the following HTML
<form action="/home" method="post">
<input type="hidden" name="_method" value="POST">
<input type="text" name="var">
<button type="submit">Submit</button>
</form>
on the server side, I trigger different actions based on the type of request I get. The _method hidden field governs that action. Can users not simply change the value to, say DELETE and cause mayhem? I tried it on my local Apache server, and it does in fact trigger the delete route, which could potentially be disastrous.
I also know that I'm not the only one using this practice, as I've seen it on official documentations for various frameworks, so what am I missing?
You can check the method name on the server side with:
<?php
if ($_SERVER["REQUEST_METHOD"] == "GET") {
// collect value of input field
}
else{
// Do nothing
}
?>
Note: Change "GET" as you see fit.
Note2: $_SERVER["REQUEST_METHOD"] is generated by the server. User can not edit it. So, you can check with this variable what kind of request you have (GET, POST, PUT,...).
Hope it helps you!
I have a simple HTML post with a php variable included as the value, I wish to use this in my codeigniter project what is the best way to do this.
Here is my correct code (I do have the form helper)
<form action="https://www.mysite.co.uk/1/" method="POST">
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>;
<input class="btn btn-primary" type="submit" role="button" id=""></input>
</form>
I may have misunderstood your question with my first answer.
If all you want is a post button, then you can write this
<input type="submit" class="btn btn-primary" role="button" value="Send" />
Or use the form helper
<?php echo form_submit('BtnName', 'Send'); ?>
// Would produce:<input type="submit" name="BtnName" value="Send" />
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_submit
You can do what you are doing:
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>">
Or use set_value like this:
<input id="start-test" type="hidden" name="userid" value="<?php echo set_value('userid', $userID); ?>">
This will repopulate the field value on form error. I have missed off the HTML special chars but you can include that still if you feel like you need to, but I presume this is an id from a database, that is set with auto increment and as it is not user generated data the use of html special chars here might be a bit unnecessary.
In your controller you can access the post variables like this:
$posted_id = $this->input->post('userid');
However, you should be using form validation on posted data. This is quite a big topic but you can read about the above in the docs. Also referring to your User ID directly is not always a great solution since this form can be easily manipulated. You can help to alleviate that somewhat with CI CSRF protection and using form_open but it is often best to use sessions and get the ID from there. You should not ever have to include a user id in a hidden form variable.
Set Value
http://www.codeigniter.com/user_guide/libraries/form_validation.html#re-populating-the-form
Reading post variables
http://www.codeigniter.com/user_guide/libraries/input.html#accessing-form-data
Form Validation in general
http://www.codeigniter.com/user_guide/libraries/form_validation.html#form-validation
Form open and CSRF
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_open
CI Sessions
http://www.codeigniter.com/user_guide/libraries/sessions.html#session-library
If you are not familiar with security practices it is sometimes best to get to know and use a mature and developed authorization and authentication library. There are many so I will not recommend one here. Just do a search for one and find one that suits your needs.
I'm having problem with CSRF Validation in yii2. The validation works fine with the default form generated by the gii but when I edit the form with html tags then the form submission throws a bad request error. I have disabled csrf validation to hide the error but I want to use this for the security of the application and data validation.
Is there any way of solving this error or is there a way of configuring it to work correctly in this scenario?
I guess, your html form doesn't have hidden _csrf field, which is automatically generated by standard Yii2 widgets.
So the minimum code of your custom form might be like this:
<form method="post">
<input type="hidden" name="<?= Yii::$app->request->csrfParam; ?>" value="<?= Yii::$app->request->csrfToken; ?>" />
<button type="submit"> Save </button>
</form>
Try this
<?=yii\helpers\Html::hiddenInput(Yii::$app->request->csrfParam, Yii::$app->request->csrfToken)?>
I would like to make a button on my website that automatically logs me in on another website. I recon I can use either Javascript/jQuery or PHP/cURL to do this.
Which is the best way to go?
You may use either remote javascript or iFrame. Find more details here: http://kuza55.blogspot.com/2007/06/building-secure-single-sign-on-systems.html
Also checkout google's approach named SAML: http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html
It depends what the website is. JavaScript and jQuery alone cannot be used due to the cross-domain policy. You could perhaps use a combination of cURL and AJAX to achieve something similar.
I think you might need to provide a little more information about the site, and exactly why you'd want to do this...
I'm not sure if this is exactly what you're looking for, but one thing I have done in the past is to mimic the login form on the site you want to log in to.
For example lets say you want to log in to 'example.com'. In the source code for the login page of 'example.com' you will find the html code for the login form.
Example
<form name="blabla" action="action.php" method="post">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="sumbit" value="Login" />
</form>
Create a form on your site similar to the one you find in 'example.com'. If you want you can even hide the fields, include values to make it a one button login. The trick is making sure that the action has the actual url. For example if the form says 'action.php' for 'example.com' you would put 'http://example.com/action.php'
Example
<form name="blabla" action="http://example.com/action.php" method="post">
<input type="hidden" name="username" value="testuser" />
<input type="hidden" name="password" value="testpass" />
<input type="sumbit" value="Login" />
<form>
This will log you in to the site in most cases. If you don't want to leave your own site you can set a 'target' for the form to an iframe or something.