As we know, passing $_POST['foo'] is the safest one on php.
even we want to pass variable without the end user notice, we can use <input type='hidden'>,
but too bad, even user with basic knowledge can notice this by inspecting elements (chrome) or show source code and change the value.
is there any way to encrypt or hide this value, so i can pass this 'secretly' parameter to the action page? javascript perhaps?
If you want a value to be secret, don't let it leave the server to begin with. Store secret values on the server only and give the client some token that lets him refer to the value without actually giving the value itself away.
The classic and most used example of this is a session, in which the user receives only a meaningless session id and all data associated with that session id is stored server side.
You can submit the form using HTTPS to prevent anyone else from seeing the traffic.
To prevent your user from seeing it, you could encode the value using JavaScript. For example, using AES encryption or a simple base64 conversion. Of course, you will need corresponding code on the PHP side to decode the value. I am not sure this is the best overall approach though, since a savvy user could still read your JavaScript and figure out what is going on - as deceze wrote, any value that is submitted to the client is no longer secret.
Related
Is there a way to transmit data from one site to another using the $_POST variable, or a similar one? Just to clarify, I am not talking about form data, and the user is not supposed to notice or have to do anything for the data to be transmitted. The $_GET variable is out of question because that can easily be spoofed in a white box attack. Furthermore the $_SESSION variable is out of question, as I am trying to transmit the data to the page, where I Start the session. Would using the $_COOKIE variable be an option that is comparably safe to the $_POST variable? Are there any other variables, that would be applicable to this situation?
Long story short, my question is can I use the $_POST variable without using a form, and if yes, how? AND/OR is there a way to directly transmit data from one page to another, with a level of security similar to the $_POST command?
** secure_log_in **
#confirmed users identity
header("Location: set_session.php?email=$email&setting_session=yes");
** set_session.php **
if (isset($_GET["setting_session"]))
{
start the session
}
The problem is, that if an attacker just tries to access the page set_session.php with the link shown above, as long as they know an email used by a user (we will just assume that the attacker knows an email used for the site) they can easily get access to areas they should not have access to. My question is, is there a way to use the $_POST command to send the $email over.
A way around this problem, may be using a cookie. How easy/difficult would it be for the attacker to create a cookie, with the email address required to access the secure section?
After trying it a lot longer I noticed, that the best way to solve this is to just include the page, and set a variable on one of the pages, to only run the script when you want to. This should be rather safe, and solves all of the problems and is less resource intensive, as well as faster.
I am developing a site where I am sending parameters like ids by url. I have used urlencode and base64encode to encode the parameters.
My problem is that how can I prevent the users or hackers to play with url paramenters Or give access only if the parameter value is exist in database?
I have at least 2 and at most 5 parameter in url so is this feasible to check every parameter is exist in database on every page?
Thanks
You cannot stop users from playing with your QueryString.
You can only validate them in your script before you do anything with them.
This also applies to POSTed variables as well, they can be hacked almost as easily.
So Validate, validate, validate.
In general if you concern about internal data put them in a session variable. But remember always everything out there is evil. You alway have to check if any input contain SQL injections.
If you use session cookies make sure that hey are http only. So no JavaScript can copy the session cookies and if possible never put them in the url itself. It's quiet easy to copy the url and hijacking a existing session.
This depends a bit on what you are using the parameters for. If they are private and should not be accessible to other users, you should link the data to a specific user and deny access to everyone who isn't authenticated as the correct user.
Also, always remember to sanitize user inputs, which includes URL parameters. Use prepared statements when passing user inputs to a database and encode it before serving it back to other users.
The best I would to is to validate on server side for the user entered paramters. Also I would check if the requests originated from my site (XSS & CSRF). Transmitting data post would be good but provides minimal security IMHO.
Therefore, validate and authenticate the originating location to ensure that it does not come from an outside source
Hello all,
While taking my time in the bath I though of something interesting. In PHP, how do you tell if the users' forms submitted is valid and not fraud (i.e. some other form on some other site with action="http://mysite.com/sendData.php")? Because really, anyone can create a form that will try send and match $_POST variables in the real backend. How can I make sure that that script is legit (from my site and only my site) so I don't have some sort of cloning-site data-steal thing going on?
I have some ideas but not sure where to start
Generate a one-time key and store in hidden input field
Attempt (however possible) to grab the url on which the form is located (probably not possible)
Using some really complicated PHP goodies to determine where the data is sent (possible)
Any ideas? Thanks all!
Most of these attempts from hackers will be used by curl. It's easy to change the referring agent with curl. You can even set cookies with curl. But spoofing md5 hashed keys with a private salt and storing it in session data will stop most average hackers and bots. Keeping the keys stored in a database will add authentication.
There are few simple ways like:
Checking $_SERVER['HTTP_REFERER'] to ensure your host was the referring script
Adding hashing keys in the forms and checking them with the server session variable stored.
But all the above can be manipulated and spoofed in some way. So, you can use CSRF Validations. Here is a very good article on this.
Other additional techniques I have encountered are:
Adding time limits to forms and ensure they are submitted with in that time.
On every interaction with the form, send AJAX request to validate and reactive the form's timelimit.
HTML5 provides a new input type . The purpose of the element is to provide a secure way to authenticate users.The tag specifies a key-pair generator field in a form.
When the form is submitted, two keys are generated, one private and one public.
The private key is stored locally, and the public key is sent to the server. The public key could be used to generate a client certificate to authenticate the user in the future.
Keygen tag in HTML5
RFC
Say I have one form that changes its content (fields and options) based on the user's current state in a multi-state process. Say that it always leads to the same action, which means the action needs to figure out what event occurred and on which entity.
<form action='/somecontroller/someaction' method='post'></form>
What is the most common way of transferring this sensitive data to the controller? I'm reluctant to even suggest hidden fields, as those can be changed by anyone. Two way encryption of some sort which is then decrypted in the action and used to determine the rest, server-side? Perhaps serialize sensitive info, encrypt it, and put it in a single hidden field on the client side of the form, then decrypt and unserialize in the controller?
<?php
$hiddenData = unserialize($this->decrypt($_POST['hiddenData'], SALT));
unset($_POST['hiddenData']);
$data = array_merge($hiddenData, $_POST);
...
Basically - how do I send some data with a form securely without exposing it to outside alterations, that is, without making sure something can go wrong if it is altered? Is there some kind of best practice regarding this?
You never send that data to the client at all.
Store it server-side within the session management capability (for PHP, you can access that using the $_SESSION variable) and only send the session token (long random number, PHP has routines for generating/maintaining good session identifiers as well) to the client (typically done in the form of a cookie). For keeping track of data in a multi-step process (including the state that the user is in), you never want to expose that to the client.
Interesting question. What I would do is a combination of the following (if sessions are not a solution for you):
employ a AES_256 / modifyed AES_256 crypt/decrypt on a serialized representation
make a MD5 + SALT (or similar) hash of the variables that you could compare with a stored hash to determine if any manipulation took place
use something like the user's IP as SALT to generate the hashes or for the crypt functions, thus if a user's IP should change you'll know that (beware: an IP address might change under some circumstances)
How can I prevent users from forging forms on the PHP or jquery side, I am using Jquery's ajax functionality to submit the forms, and this means that tech-wise people can change some variables such as the value of something (that shouldn't be changed / is a user id or something like that) through the use of firebug or web inspector and likewise.
So how can I prevent users from changing these variables or making sure they are unchangeable through a secure and good way?
Thanks
As the others have already stated, you can't prevent the user from tampering.
You are receiving data from me, and I can send you anything I want, I can even do an HTTP request by hand, without even using a browser, and you can't do anything about it.
If you don't want a user to be able to alter an information, don't provide it to him.
You can store it in PHP's session, which is stored server side (do not use cookies, they too are sent to the user) or save it in a database, both of them are not accessible to the end user.
If you still want to pass the data to the user, compute some sort of hash (a secure hash, using a secure hashing algorithm and a secure message digest as Gumbo noted, this rules out algorithms like CRC32 or MD5 and MACs like your name or birthday) of the data and store it server side, then when the user submits back the data, check if the hashes match.
But do know that this solution is not 100% secure. Hashing functions have collisions, and bad implementation exists.
I would recommend to stick to the golden rule: if it's not there, it cant break / be tampered / be stolen / etc.
You cannot prevent users from doing so.
Store these variables in a Session.
You can never trust the client. Validate the form on the server to ensure the data is sane. This means checking that a given user ID has permissions to post their form, etc.
I'm going to go with... you can't. You never trust the user's data; client side verification is always only the first line of defense.