I'm having problem with CSRF Validation in yii2. The validation works fine with the default form generated by the gii but when I edit the form with html tags then the form submission throws a bad request error. I have disabled csrf validation to hide the error but I want to use this for the security of the application and data validation.
Is there any way of solving this error or is there a way of configuring it to work correctly in this scenario?
I guess, your html form doesn't have hidden _csrf field, which is automatically generated by standard Yii2 widgets.
So the minimum code of your custom form might be like this:
<form method="post">
<input type="hidden" name="<?= Yii::$app->request->csrfParam; ?>" value="<?= Yii::$app->request->csrfToken; ?>" />
<button type="submit"> Save </button>
</form>
Try this
<?=yii\helpers\Html::hiddenInput(Yii::$app->request->csrfParam, Yii::$app->request->csrfToken)?>
Related
I have a simple HTML post with a php variable included as the value, I wish to use this in my codeigniter project what is the best way to do this.
Here is my correct code (I do have the form helper)
<form action="https://www.mysite.co.uk/1/" method="POST">
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>;
<input class="btn btn-primary" type="submit" role="button" id=""></input>
</form>
I may have misunderstood your question with my first answer.
If all you want is a post button, then you can write this
<input type="submit" class="btn btn-primary" role="button" value="Send" />
Or use the form helper
<?php echo form_submit('BtnName', 'Send'); ?>
// Would produce:<input type="submit" name="BtnName" value="Send" />
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_submit
You can do what you are doing:
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>">
Or use set_value like this:
<input id="start-test" type="hidden" name="userid" value="<?php echo set_value('userid', $userID); ?>">
This will repopulate the field value on form error. I have missed off the HTML special chars but you can include that still if you feel like you need to, but I presume this is an id from a database, that is set with auto increment and as it is not user generated data the use of html special chars here might be a bit unnecessary.
In your controller you can access the post variables like this:
$posted_id = $this->input->post('userid');
However, you should be using form validation on posted data. This is quite a big topic but you can read about the above in the docs. Also referring to your User ID directly is not always a great solution since this form can be easily manipulated. You can help to alleviate that somewhat with CI CSRF protection and using form_open but it is often best to use sessions and get the ID from there. You should not ever have to include a user id in a hidden form variable.
Set Value
http://www.codeigniter.com/user_guide/libraries/form_validation.html#re-populating-the-form
Reading post variables
http://www.codeigniter.com/user_guide/libraries/input.html#accessing-form-data
Form Validation in general
http://www.codeigniter.com/user_guide/libraries/form_validation.html#form-validation
Form open and CSRF
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_open
CI Sessions
http://www.codeigniter.com/user_guide/libraries/sessions.html#session-library
If you are not familiar with security practices it is sometimes best to get to know and use a mature and developed authorization and authentication library. There are many so I will not recommend one here. Just do a search for one and find one that suits your needs.
What's the Problem?
Primary Key is present in Url so the data for other records can be seen easily by easily changing the Url.
Rendered html has hidden field present. Anybody can easily change other records based upon this Hidden Field.
When I edit the page. My Url looks like below.
http://localhost/Category/3
and Below is the rendered Html
<form method="POST" action="http://localhost/UpdateCategory" accept-charset="UTF-8">
<input name="_token" type="hidden" value="AmAXKmqtct6VOFbAVJhKLswEtds4VwHWjgu3w5Q8">
<input name="CategoryID" type="hidden" value="3">
<input required="required" name="Category" type="text">
<input class="btn btn-success" type="submit" value="Update">
</form>
Please suggest some Url and Form security in Laravel 5.1
There are many worksaround which shall by handled by us to avoid such incidents.
Fix 1 :
If you don't want to reach the user's by just changing the url
(i.e., Directly passing the id in url )
You shall filter the requests by
if($_SERVER['HTTP_REFERER']!='')
{
}
else
{
exit;
}
You shall have this in your Middleware or even in your view if you wish
Fix 2 : Never worry about the _token that is visible when you see form source
It is just the token that is generated by laravel app which is to identify whether the request is from authenticated source or not.
If you edit the token and pass the form you will surely get CSRF Token Mismatch Exception
Infact this is one of the great feature of Laravel.
Interesting Point : You can also find something in the headers of the browser ;)
Happy using Laravel ;)
In Laravel 5, I notice that whenever I have a form in which I wrote in plain HTML, instead of using the Form::open, it is required to have a hidden input field for the token.
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>" />
And for a form that updates a record, it is required to have <input name="_method" type="hidden" value="PATCH">
Is it correct that I should always have these fields when writing forms using plain HTML? Is there other ways of doing this if I were still to write it in plain HTML?
Yes that's correct. For PATCH (and basically all non GET or POST verbs) there's no other way than using the _method.
This is described in the route chapter of the documentation: Method Spoofing
However you could disable CSRF protection. I'm not saying you should do that but if you wanted to, you can disable it by removing Illuminate\Foundation\Http\Middleware\VerifyCsrfToken from the middleware array in app/Http/Kernel.php
This is in the documentation as well: CSRF Protection
I have a HTML form inside of a PHP file and I am trying to validate this form using Jquery. To my dismay,I am not able to have the form validated before the page is summited, ie refreshed. Furthermore, I have use seveal different plugins and I do not get any notifications of any kind. Here is the form as is:
<div id="contactRight">
<form method="post" action="form.php">
<input type="text" class="required" id="first" value="First*" ></input><br/>
<input type="Last Name" value="Last*" id="lastname"></input><br/>
<input type="text" value="Email*" id="email"></input><br/>
<textarea id="subject" id="subject">Subject*</textarea>
<input class="submit" type="submit" value="submit"></input>
</form>
Using the bassistance validation plugin it says that you can give your inputs a class with a value of "required" causing the validation plugin to kick in. I am overfly frustrated with my attempts of making this form work. More so, using HTML 5 is catastrophic, I do not receice any notifications of any input fields not being filled in. Is there a different approach I should be taking?
If you want to use HTML5's native form validation, do the following:
for input fields requiring a value, add required attribute in the input tag
for checking email, the input tag should have a type attribute as 'email'.
for other sorts of pattern matching, use pattern attribute with regex.
Reference:
https://blog.mozilla.org/webdev/2011/03/14/html5-form-validation-on-sumo/
http://www.developer.nokia.com/Blogs/Code/2012/11/21/creating-a-custom-html5-form-validation/
BTW, If you want to disable this native form validation, add novalidate attribute in form tag.
I have discovered the problem, I can add a placeholder tag which will allow me to keep the values empty. I had values, so the validator was working as expected. Silly Me. My next question though, is the placeholder tag applicable in all other browsers?
I using symfony 1.4.8 and when trying to render the hidden csrf form field a value is not being added to the rendered field. I've done this before without issue. See the following to examples below to see the code and the rendered output.
Code:
<?php echo $form['_csrf_token']->render(); ?>
Generates:
<input type="hidden" name="contact[_csrf_token]" id="contact__csrf_token" />
Code:
<?php echo $form['_csrf_token']->renderRow(); ?>
Generates:
<tr>
<th><label for="contact__csrf_token"> csrf token</label></th>
<td><input type="hidden" name="contact[_csrf_token]" value="3cf960d4553e2649f86d0ccd12a26efe" id="contact__csrf_token" /></td>
</tr>
As you can see the second method generates the value for the csrf_token, but it also generates all the other row information. The render() method is supposed to just generate the 'widget' (in this case the hidden input field) with the value. For some reason it does not add a value.
Why do you need to explicitly render it? Why are you not using $form->renderHiddenFields() ?
Use $form->renderHiddenFields() instead.
You have to do a hard refresh. Something is stuck in your session.
Hard refresh is Shift+F5
If that fails, delete all your domain cookies for your domain and try again.
It is simply a session issue, provided you've not messed with csrf elsewhere.
Although there are some many different reasons for this behavior in symfony:
Do not use bind before process form validation.
Session time is over and there is no session id.
CSRF Validation is disabled or have not being set a csrf_secret value in settings.yml file
I present a quick solution to get CSRF Token value directly printed:
<input type="hidden" name="signin[_csrf_token]" id="signin__csrf_token" value="<?php echo $form->getCSRFToken(); ?>" />
Using:
$form->getCSRFToken();
will render a new generated CSRF Token.