Let's say I have a form that looks like this:
<form action="/script.php" method="post">
<input name="my_input" length="80" />
<input type="submit" value="submit" />
</form>
Now I also want to include a numeric identifier - call it a ticket id. "Here's the ticket history, do you want to add something?" The user can't modify that.
My question is...what is the safest way to get that ticket id in the form submission?
No problem accomplishing it, but my question is around security. So here are the ways to get a variable back that I can think of:
<form action="/script.php" method="post">
<input name="my_input" length="80" />
<input type="hidden" name="ticket_id" value="12345" />
<input type="submit" value="submit" />
</form>
or
<form action="/script.php?ticket_id=12345" method="post">
<input name="my_input" length="80" />
<input type="submit" value="submit" />
</form>
I'm concerned that someone could craft a malicious POST and submit it and append their comments to a different ticket. i.e., compose a POST from their own server/browser/tool. If I was doing this with GET then they certainly could do that just by changing the url vars - it's possible to do that also with POST too, right?
I can check that the user owns that ticket of course and do some other validation, but fundamentally, how do you present data to a user and safely get it back again in an HTML form?
Is there something other than creating a unique serial number ("FORM 12345 should present ticket id 6789") record on the server side and then checking it back?
I'm using PHP & MySQL on the backend though I'm not sure my question is specific to those technologies.
use session
form.php
<?
session_start();
$_SESSION['ticket_id'] = '1234';
?>
script.php
<?
session_start();
$ticket_id = $_SESSION['ticket_id'];
?>
Related
On page1.php I have a form which sends vars via POST to page2.php.
However, I only want to process the form if it is called from page1.php.
How do I check for this?
Kind regards!
EDIT:
It's a kind of security measure. If i'm a hacker and I copy the form code from the source of the page and run it, I can change crucial vars.
EDIT2:
Ok here is the actual problem:
Users can edit credit to their account. They can choose values from 5EUR to 50EUR.
Eventually they come on a page 'deposit.php' where the final form is sent to a page 'payments.php' which then sends the var to Paypal.
Deposit.php:
<form class="paypal" action="paypal/payments.php" method="post" id="paypal_form" target="_blank">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="lc" value="BE" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="item_number" value="50" / >
<input type="hidden" name="price" value="47.50" / >
<input type="submit" class="uibutton " value="Betaal met Paypal" style="width: 100%; font-size:120%;">
(BTW they get a discount if they add 50EUR)
Well, first of all you have to understand that there is no security measure the way you put it.
And, of course, no method provided by other participants can protect your "crucial vars". They were actually answering other question, one is more familiar to them.
Forms are intended to be filled by client party. So, you can't expect whatever variable be untouched. Everything coming from the client side can be spoofed, no matter what measures you took.
So, whatever "crucial vars" should remain on the server.
While all the data coming from the form should be considered unsafe and treated accordingly.
Depending on the application, you could use $_SERVER['HTTP_REFERER'] and do a check but the problem with it is that not all browsers send it, and it is modifiable by the user. So if this is just for a few people that you know it probably won't be a problem. If this is for the world it isn't recommended.
What I usually do is set a session on page 1, then check for that session on page 2. Every time page 1 loads you need to reset the session.
page1.php
<?php
session_start();
$hash = $_SESSION['hash'] = md5(time().rand(0,100));
?>
<form action="page2.php" meethod="post">
<input type="hidden" name="h" value="<?php echo $hash; ?>" />
Your Name: <input type="text" name="name" />
</form>
page2.php
<?php
session_start();
if($_SESSION['hash'] != $_POST['h']){
header("Location: page1.php");
exit;
}
// process data
I think Adam D response is too weak (Anyone can change that just using firebug). what you want to prevent is users to skip some step or avoid XSRF.
In that case I would say use sessions.
Create a session
Save the current step
Retrieve and validate the current step and halt or continue according to the value
In your form, include a hidden field that you then check for on page2.php. See below:
<form action="post.php" method="POST">
<input type="text" name="fname" id="fname" />
<input type="hidden" name="cameFromPageOne" value="true" />
</form>
Then, on the top of page2.php, check that the hidden variable is set, and if not, redirect back to page1.php
<?php
if(!isset($_POST['cameFromPageOne']) || $_POST['cameFromPageOne'] != 'true') {
header('location: http://www.example.com/page1.php');
exit();
} else {
// ... code to process if they DID come from page1.php
}
?>
There's no reason to overcomplicate it, there's a global variable in PHP which tell's you the url your current script was requested from:
echo $_SERVER["HTTP_REFERER"];
Hello my dears you always help me go further.
I have a problem with a form.
How can I protect it from user manipulation after being submitted?
FORM
<form method="post" action="/selling.php" />
<input type="hidden" name="user" value="{$_SESSION['session_username']}" />
<input type="hidden" name="price" value="$price" />
<input type="hidden" name="nick" value="$nick" />
<input type="hidden" name="class" value="$class" />
<input type="hidden" name="amount" value="$amount" />
<input type="submit" name="reset" class="input_submit" value="Submit" />
</form>";
How does it work?
The user logs in on my website, then based on his "$username", I retrieve his info from DB (nickname,class) and based on some conditions I create a "$amount" and "$price" for it.
Everything goes automatically, all the user has to do is to click the "Submit" button.
But I found out that he can manipulate the whole form and change for example the "$price" to 0...
What should I do and how?
Wherever you might derive $amount and $price from, it seems to be calculated before outputting the form. This means you can also just store those two values in a session like
$_SESSION['amount'] = $amount;
$_SESSION['price'] = $price;
and get rid of them in the form completely. You will be able to access these sessions in selling.php so long as you start the session before trying to access it by doing:
session_start();
Through this, none of the sensitive information will be shown in the form/source code, but it will still be available in selling.php.
Remember to always do validations in the backend, i.e. php code, never in the front end.
I have very simple form (the file is called message.php):
<?php
print_r($_POST);
?>
<form method="post" target="_top" action="<?php echo CANVAS_URL;?>message.php">
<input type="text" name="your_name" />
<input type="hidden" name="signed_request" value="<?php echo $_REQUEST['signed_request'];?>" />
<input type="submit" name="send" />
</form>
I found one solution of this issue - put into the form hidden input with the signed_request - I did it but unfortunately I am still facing with this problem -- I cannot retrieve sent POST data.
If I change the method to method="get", everything is working well, but I would need to data from POST.
Could anyone help me, how to solve this problem? Thanks!
Try this. I don't believe you need to use target in FB canvas aps anymore. Also a form ID would be good.
<form method="POST" id="my_form" action="message.php">
<input type="text" name="your_name" />
<input type="hidden" value="<?php print $_POST["signed_request"] ?>" name="signed_request" />
<input type="submit" name="submit" />
</form>
POSTing to Canvas URLs (as in http://apps.facebook.com/namespace) is simply not supported.
But why post to the top window instead of simply staying within the iframe? It's way better as it doesn't require the entire page to be reloaded, only the iframe.
For example, I have a user system that displays a each user's IP address. I want to place a small link on the page next to each IP that will send me to http://www.whatismyip.com/tools/ip-address-lookup.asp but POST the IP address, so that I can view it without inputting the IP myself (I'm lazy, what?)
Is this possible with javascript/PHP/HTML?
Not sure if I 100% understand what you want here but let me give it a try.
You have a list of your users IP-adresses, but want to link them so they're posted to the webpage for a check?
In that case make a form for each IP adress, set the form's action to the whatsmyip-site and make sure you got the IP in a field named the same as the field used for searching the ip on the external site.
So basicly:
<form action="http://www.whatismyip.com/tools/ip-address-lookup.asp" method="post">
<input type="hidden" name="name_from_site" value="100.0.0.10" />
<input type="submit" value="Check IP" />
</form>
You can simply make a form that POSTs to the given URL.
<form action="http://whatsit.com" method="post">
<input type="hidden" name="ip" value="1.2.3.4">
<input type="submit" value="Go!">
</form>
You can use JavaScript to POST the data (using AJAX techniques) and let the link behave normally. It'd probably be easiest to attach your JavaScript to the link's onclick event.
Or, you could use the header function from PHP: http://www.php.net/manual/function.header.php
You can use this:
<form action="http://www.whatismyip.com/tools/ip-address-lookup.asp" method="post" name="ip_lookup_form">
<input type="hidden" name="IP" value="100.0.0.10" />
Check out on IP Lookup
</form>
Another lame question
So, I have a site that displays several students' requests to change advisors, with an Approve and Deny button for each student. Then I have a Javascript pop-up that confirms the decision when clicked on either button, and it will also e-mail the student about this decision. This should all be on one page as well.
How do I specify which student I will update and e-mail to? I know the query will be like $query = "UPDATE student set current_advisor = ".$requested_advisor." where SID = ".$sid, but how do I specify which student I'm doing this for?
I have only worked with php forms, where you have the user type in the information, but in this case, all the data is there already...
$sid is the id of the student you want to update... It depends how you're building the page. You can either insert a form for each student, as follows:
// for each student
<form method="post">
<input type="hidden" value="the-sid" name="SID"/>
<input type="submit" value="confirm" name="type" onclick="return confirm('Sure?');"/>
<input type="submit" value="deny" name="type" onclick="return confirm('Sure?');"/>
</form>
// end for each
Then when the user clicks either approve or deny, you're $_POST array in PHP will be filled with:
array("SID"=> $theSID, "type" => "confirm or deny");
You have a couple options for doing something like this.
If you want to do it with actual <form>s, then you'd do this by putting the information you need in "hidden" form fields. For example, you can have something like this in each form:
<input type="hidden" name="SID" value="4" />
And use PHP to fill in the value for each hidden field when you're generating the HTML.
Another option is to just have the buttons open a link, instead of submitting a form. In that case, you can pass the values you need as "GET" parameters on the URL, like this:
http://yoursite.com/change_advisor.php?SID=4&new_advisor=18
And then have the change_advisor.php file use the variables $_GET['SID'] and $_GET['new_advisor'] to do the query you need.
i'm not sure if this is what you want exactly, but if you wanted a list of advisors and the option to approve or deny each you could do for each advisor
<?php foreach($advisors as $advisor): ?>
<form method="post" action="somewhere">
<input type="hidden" name="id" value="<?php echo $advisor['id']; ?>" />
<input type="submit" name="result" value="Approve" onclick="return confirm('Are you sure you want to approve this advisor?')" />
<input type="submit" name="result" value="Deny" onclick="return confirm('Are you sure you wish to deny this advisor?')" />
</form>
<?php endforeach; ?>
Then that sends to your script a post array which should contain whether it was approved or denied, then you can handle it from there using the id variable to identify your record against your primary key.
Hope this helps :)