1

Question:

What is best practice for form submissions while keeping in mind security?

This may be a n00b question but I'm concerned that people might be able to alter some data as its being submitted. Take my example:

I have a form that has a hidden input that stores a user's unique Facebook ID. I take that Facebook ID and create a user account from it. If I use jQuery, won't some users be able to change the data being posted?

Improve this question

2 Answers 2

Reset to default
2

It is just as safe as a regular form post. Both methods can be hijacked and data injected. The key is how your server side scripts validate the data alongside authentication, session, anti forgery tokens etc

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

See comment above: There's no way to prevent users from sending an invalid facebook ID other than what's currently in the session?
I would not put an important id inside a hidden field with no encryption. I would store that value encrypted in a session cookie
2

Users will always be able to post whatever data they like to your server. You can't do anything to change that with javascript. With a decent browser it's easy to find hidden form fields, unhide them, and put whatever you want in them. A more skilled user can craft an http post by hand and send whatever they like. Security must be done on the server, not on the client.

Improve this answer

2 Comments

So there's no way to prevent them from sending over an invalid FB Id?
Nope, other than checking facebook somehow to see if it exists on their site.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.