as i want to send some sensitive information like 'user id' through ajax which is the best way to transfer them. right now i am just concatenating with the html tag's ids and then splitting and using them . please suggest a better way . i hope there must be one for this
The best way to transfer identification values (such as user_id) is to not transfer them at all. If you can, I'd grab the current user_id from a session, that way it isn't possible for a user to change that "user_id" to immatate someone else.
However if this option doesn't fit your application, you can always hash the user_id on the server side, such as:
md5($user_id . "randomsalthere");
Then when you check the request, see if:
$_POST['secret_hash'] == md5($_POST['user_id'], 'randomsalthere');
Links:
Salt
Hash
PHP Sessions
Would POST work for you? Only the User would be able to sniff out the POST parameter,
The most secure way would be to use https, regardless whether you are using POST or GET.
Another question that comes to mind: Do you really need to send this information, canĀ“t you just keep it on the server in a SESSION?
JQuery has some encryption plugins. You can encrypt your values before sending them, and decrypt them in php.
Related
As we know, passing $_POST['foo'] is the safest one on php.
even we want to pass variable without the end user notice, we can use <input type='hidden'>,
but too bad, even user with basic knowledge can notice this by inspecting elements (chrome) or show source code and change the value.
is there any way to encrypt or hide this value, so i can pass this 'secretly' parameter to the action page? javascript perhaps?
If you want a value to be secret, don't let it leave the server to begin with. Store secret values on the server only and give the client some token that lets him refer to the value without actually giving the value itself away.
The classic and most used example of this is a session, in which the user receives only a meaningless session id and all data associated with that session id is stored server side.
You can submit the form using HTTPS to prevent anyone else from seeing the traffic.
To prevent your user from seeing it, you could encode the value using JavaScript. For example, using AES encryption or a simple base64 conversion. Of course, you will need corresponding code on the PHP side to decode the value. I am not sure this is the best overall approach though, since a savvy user could still read your JavaScript and figure out what is going on - as deceze wrote, any value that is submitted to the client is no longer secret.
I'm sending data from an Android app to a php script which recieves the information and procces it, I've found a security issue: if someone discovered the url (for example: mydomain.com/recievedata.php), anyone would be able to send data to my system.
What's the ideal method to ensure the client sending the data is the app?
Thanks!
One easy way that I've seen some companies do is to include a secret key. For example, you might have a secret=3CH6knCsYmvA2va8GrHk4mf3JqmUctCM parameter to your POST data. Then all you need at the top of receivedata.php is
if($_POST['secret'] != '3CH6knCsYmvA2va8GrHk4mf3JqmUctCM') {
header('HTTP/1.1 403 Forbidden');
error_log("ERROR: wrong secret: " . $_POST['secret']);
exit("Access denied");
}
You can easily generate the random string from random.org.
Of course, this is not the most secure method and that string might well be stored in plaintext in the APK (don't use this to send launch codes!), but it's easy and good enough to keep most people out. This might be adequate for, say, sending player scores for a game.
It's more like a PHP question. Here are the things you should do for security ;
Add a hash between your app and your PHP to sync (AKA secret key)
Make sure your script controls every input data
DO NOT send datas to query without escaping them (SQL Inject)
Try to use POST instead of GET or REQUEST
Keep your functions private as much as possible
Always parse the data you receieve (Check if its a number, or string or array etc)
With these, noone will be able to use any of your PHP files without your app. And they won't be able to receive any data without your permissions
The only proper way is not trusting the data you receive. Always treat it in a way suitable for crafted data coming from a bad guy.
How can I prevent users from forging forms on the PHP or jquery side, I am using Jquery's ajax functionality to submit the forms, and this means that tech-wise people can change some variables such as the value of something (that shouldn't be changed / is a user id or something like that) through the use of firebug or web inspector and likewise.
So how can I prevent users from changing these variables or making sure they are unchangeable through a secure and good way?
Thanks
As the others have already stated, you can't prevent the user from tampering.
You are receiving data from me, and I can send you anything I want, I can even do an HTTP request by hand, without even using a browser, and you can't do anything about it.
If you don't want a user to be able to alter an information, don't provide it to him.
You can store it in PHP's session, which is stored server side (do not use cookies, they too are sent to the user) or save it in a database, both of them are not accessible to the end user.
If you still want to pass the data to the user, compute some sort of hash (a secure hash, using a secure hashing algorithm and a secure message digest as Gumbo noted, this rules out algorithms like CRC32 or MD5 and MACs like your name or birthday) of the data and store it server side, then when the user submits back the data, check if the hashes match.
But do know that this solution is not 100% secure. Hashing functions have collisions, and bad implementation exists.
I would recommend to stick to the golden rule: if it's not there, it cant break / be tampered / be stolen / etc.
You cannot prevent users from doing so.
Store these variables in a Session.
You can never trust the client. Validate the form on the server to ensure the data is sane. This means checking that a given user ID has permissions to post their form, etc.
I'm going to go with... you can't. You never trust the user's data; client side verification is always only the first line of defense.
What is the best solution to "form spoofing" besides filtering the inputs?
I understand the followings:
Referrer can be spoofed
Telnet can be used to fool the server
Client side filtering can be bypassed
i understand that i should avoid GET
I can use Captcha
How can i prevent somebody to post to my form processing scripts from anywhere?
If someone can manually post a form, they can do it automatically too. There's no way to stop that besides moderation. You can make it harder by using captcha's. But personally I hate captcha's, because they are just a solution made up by lazy moderators to make the users solve their problems.
Here is a way to use tokens.
http://shiflett.org/articles/cross-site-request-forgeries
Not much really. Every client-side check can be spoofed or bypassed. Some authentication method is best, either using HTTP Auth or a simple system you coded yourself with sessions.
I don't know what the best solution is necessarily, but you can use a session variable on the script that should have generated the form and check it in the script that the form POSTs to. You can md5 the variable contents and make it something somewhat random for increased security as well.
The real question is why do you want to prevent people from being able to post to your webpage from anywhere? Your webpage should be prepared to accept any input no matter where it comes from. There are measures you can take to reduce automatic posting such as tokens, but there is no way you can prevent it completely.
Instead of trying to prevent it, though, I would welcome it. Advertise your cross-site post API and profit.
Postel's law:
TCP implementations should follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.
Set a hidden input on the form that's equal to the md5 value of a string made up of the session id + a secret "salt" string value. Then, when you process the form, you can get the session id, add the secret value, and compare the mp5 out of that to the value that was passed with the form.
I have a link on a page, and I would like to send a variable to a php file like this:
href = "php_file.php?qry=$query"
the $query variable contains a query which I would like to make to mysql, inside the php file.
My problem is, I don't want the users to 'see' what I am passing along. I would like to use $_POST but from what I know, that isn't possible.
Is there any other simple way?
Thanks
That is not possible. Even if you used POST it would be very insecure.
My suggestion would be to put the query in the $_SESSION variable and reference it back in php_file.php If you have multiple queries you could give them some kind of IDs and store the id=>query pair in session.
Quick example:
<?php
session_start();
$_SESSION["query1"] = "SOME QUERY";
$_SESSION["query2"] = "SOME OTHER QUERY";
?>
<a href='php_file.php?q=query1'>Execute first query</a>
<a href='php_file.php?q=query2'>Execute second query</a>
//in php_file.php
session_start();
$query = $_SESSION[$_GET["q"]];
Obviously this is very simplistic and you might want to add some more "security" to it (check for empty parameters etc.) but at least your query wouldn't be visible to the user.
Yes, as stated use a session: http://www.php.net/manual/en/book.session.php
Also, don't stick URI params into a SQL query: http://php.net/manual/en/security.database.sql-injection.php
You could use sessions, or a cookie. But if you're trying to have the client send you information that the client cannot know about, I think you need to rethink the problem.
I hope $query isn't SQL!
Aside from encryption (and even then) if there's data on the client side, there's no way to prevent the client from being able to determine it's value.
Definitely do not put queries on the client side! Store whatever it is in the $_SESSION. That way the actual data is on the server side. It's never sent to the client, so they will never see it.
You obviously want to prevent users from loading stuff like php_file.php?qry=DELETE+FROM+users in their browsers by hiding or obfuscating the SQL code. I suggest you reconsider the whole idea: you're asking to be hacked.
You can hardcode a list of operations in your server side code and just pass an identifier, e.g.:
php_file.php?qry=fetch-totals
and then
<?php
if( $_GET['qry']=='fetch-totals' ){
// ....
}
?>
Well if you don't want them to actually see the query parameters in a link try any URL shortening service (google will help). And when the user is redirected to you save this parameter to session and then do the redirect once again but without any query parameters. This solution will only work in case, once again, the link is just ugly and you don't want to leave it like that. As mynameiscoffey said savvy will still be able to figure it out.
As well as cookies, hidden forms, JavaScript and so on BTW.
You can, in theory, use encryption, and decrypt the value on the server. The overhead is huge, however. And a sophisticated enough user will get to it anyway. The plaintext of the value to be hidden will exist in a variable at some point; a debugger and a breakpoint at just the right time is all they need.
In this scheme, it does not matter how complex the encryption is. You don't have to go all the way with RSA or somesuch; something like XOR with key will suffice. You're protecting against casual snooping here, not against a determined attack.