0

Hey all, I am facing a rather serious security error. Let me first outline my code.

<li class="comment">
    <form action="" method="POST" name="edit-form" class="edit-area">
        <textarea style="width: 100%; height: 150px;"><?php echo $response->comment; ?></textarea>
    </form>

    <div class="comment-area" style="padding-top: 2px"><?php echo (parseResponse($response->comment)); ?></div>

        <p class="ranking">
            <?php if ($response->user_id == $user_id) : ?>
                    <a href="" class="editting" data-user="<?php echo md5(convert($response->user_id)); ?>" data-edit="<?php echo $response->short; ?>">Edit</a> &bull; <a href="#d">Delete</a> 
            <?php else : ?>
                <a href="#">Like (<?php echo $response->likes; ?>)</a> &bull; <a href="#">Dislike (<?php echo $response->dislikes; ?>)</a>
            <?php endif; ?>
        </p>                                        
</li>

is what I got in my body, and here's the relevant JS

$('.editting').bind('click', function(event) {
            var num = $(this).data('edit');
            var user = $(this).data('user');

            if ($(this).hasClass('done')) {

                var newComment = $('#comment-' + num + ' .edit-area textarea').val();
                var dataString = 'newComment='+ newComment + '&num=' + num;

                if(newComment == '')
                {
                    alert('Comment Cannot Be Empty!');
                }
                else
                {
                    $.ajax({
                        type: "POST",
                        url: "edit.php",
                        data: dataString,
                        success: function(){}
                    });

                    $('#comment-' + num + ' .edit-area').slideDown('slow', function() {
                    $('#comment-' + num + ' .edit-area').addClass('invisible');
                    });     
                    $('#comment-' + num + ' .comment-area').slideUp('slow', function() {
                        $('#comment-' + num + ' .comment-area').removeClass('invisible');
                    });
                    $(this).removeClass('done');
                    $(this).html('Edit');
                }



            }

            else {                  
                $('#comment-' + num + ' .comment-area').slideDown('slow', function() {
                    $('#comment-' + num + ' .comment-area').addClass('invisible');
                });

                $('#comment-' + num + ' .edit-area').slideUp('slow', function() {
                    $('#comment-' + num + ' .edit-area').removeClass('invisible');
                });

                $(this).html('Done');
                $(this).addClass('done');


            }

            return false;


        });

which works fine, but i'm having an issue. If the user finds a comment (not by them) and uses a plugin like firebug, they can replace the response->short with another, and edit ANY comment. Of course, within edit.php, I could check the short against the response table and see if the user checks out, but i'd like to find a way to not show the text area unless that response is for-sure by that user.

Is this possible?

Thanks in advance, Will

Improve this question

2 Answers 2

Reset to default
3

Is this possible?

Sure...but it'll do nothing to stop the user/fix your security hole. To fix this check server-side, always double-check anything that should be secure server-side, never trust your input. The users trying to do something malicious won't be stopped by anything in JavaScript...sending data to your server that they shouldn't is exactly what they'll do first.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

well, I plan to do the edit.php thing anyway so that I'm sure it's valid, but is there anyway I can fortify the js too/
@tap - There isn't much you an do that you're not already, JavaScript is wide open, that's just how it is...I can open an edit window for any comment on this page as well...but the server won't allow it, and that's what matters. Take a step back here and look at what you're trying to do...you're trying to make the interface a bit better for the specific case of someone trying to manipulate your site, I wouldn't do any extra work for that, just secure it server-side where it counts, design the interface for the other 99.9% of users (and still be secure where it matters!)
0

Like Nick said; never ever trust a JavaScript test!

It will/might work for "regular users", but when it comes down to avoiding hacks, you might as well ask the hacker to click a button to "prove" his input is valid!

Your validator script is running on someone else's computer, so he/she will be able to manipulate it (or even turn it of using NoScript etc. )

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.