0

I'm building a simple To Do app and connects with Facebook.

I want people to be able to create a new To Do list and register it to database (I use Ajax for that). I will place the code below and my question after that.

<a id="submit-list" href="#">
    <div class="list-adder">
        <input class="hidden" name="unique_url" id="uniqueUrl"   type="text" value="<?php echo generateRandomString(); ?>" />
        <input class="hidden" name="user_id" id="userId" type="text" value="<?php echo $_SESSION['FBID']; ?>" />
        <input class="hidden" name="user_name" id="userName" type="text" value="<?php echo $_SESSION['FULLNAME']; ?>" />
        <input type="text" placeholder="List Title" name="add_list" class="add_list" id="addList" />
        <span id="submit_list">Add List</span> <i class="icon-plus"></i>
    </div>
</a>

So here I take the list unique URL, Title and the facebook User id and Full name

I send over the details to Ajax and from there to the database. Everything works perfectly. However, there might be a security issue. If I inspect this form I get the user id and name in the source code as seen in this screenshot: http://image.prntscr.com/image/59dab8aca0694f89989ef1e0f59b9fc4.png two muppets And if I edit the user id or name the edited data is sent to the database.

Is there any way I can make sure the real data of the user is sent to the database instead of the edited data?

Thank you.

Improve this question
6
  • if it's ajax, then you can intercept the actual form submission with JS code, add/remove/modify whatever form values you want, and then do ANOTHER submission with the actual data. Commented Aug 3, 2016 at 14:51
  • 1
    Just add some validation before you insert to the database? You already know user_id should be the same as $_SESSION['FBID']. If its not tell the user the data is invalid. Commented Aug 3, 2016 at 14:52
  • @MarcB If the validation is client side then its still vulnerable Commented Aug 3, 2016 at 14:54
  • @user1: true, but that's true of anything client-side. you can't prevent a user from fiddling with stuff in their browser. you can only make it harder for them. Commented Aug 3, 2016 at 14:55
  • Radu033, what is the point of having the user_id and user_name fields anyway? Can't you just submit the form without it and in PHP insert using the $_SESSION values Commented Aug 3, 2016 at 14:56

2 Answers 2

Reset to default
1

The only reason to put something into a form is because you need that data in the subsequent request that you can't get from somewhere else.

But you already have this data in the user's session - there's no point in printing it into the form in order to make it available to the next request - it's already available to the next request.

Remove the user_id and user_name fields from your form, and when constructing your query instead of reading those values from the request, read them from the session

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

This perfect solution is to use SESSION, but if you want to use it as input you can delete the fields after the page is initiated.

Not bullet proof though.

var USER_ID   = null;
var USER_NAME = null;

$(function()
{
   USER_ID   = $('#userId').val();
   USER_NAME = $('#userName').val();

   $('#userId').remove();
   $('#userName').remove();

   $.post('..', {'userId' : USER_ID }) ..
});
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.