Jump to content

Is Pre-Population Insecure?

doubledee

By doubledee
in Application Design

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

Is it insecure to auto-populate fields on re-set forms?

 

This pertains to two Forms on my site...

 

Change Your Password

E-mail:

Password:

New Password:

Confirm Password:

 

If I pre-populated E-mail above, would that be a security risk?

 

 

Change Your E-mail

E-mail:

New E-mail:

Confirm New E-mail:

Password:

 

If I pre-populated E-mail above, would that be a security risk?

 

Thanks,

 

 

Debbie

 

 

Link to comment
https://forums.phpfreaks.com/topic/259108-is-pre-population-insecure/
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

just make sure your auto fill is properly Sanitized beforehand and safe from injection and cross site scripting attempts.

 

How do I do that?

 

When the form is loaded I look for their "memberID" in the Session and then I query the database for their record, and if it is found I display it like this...

<!-- Current Email -->
<label for="currEmail">E-mail:</label>
<input id="currEmail" name="currEmail" type="text" maxlength="80"
			 value="<?php if(isset($currEmail)){echo htmlspecialchars($currEmail, ENT_QUOTES);} ?>" /><!-- Sticky Field -->
<?php
	if (!empty($errors['currEmail'])){
		echo '<span class="error">' . $errors['currEmail'] . '</span>';
	}
?>

 

 

Debbie

 

kicken Prolific Member

kicken

Posted
Posted

The never typed in their e-mail...  That is the point...

 

Maybe not on that page, but they did at somepoint, otherwise how would you know what to fill in?  So long as your not setting it up so it will pre-fill based on an ID number in the URL or something like that, there is no problem from a data-leak point of view.  The user should only be able to see whatever is on record for their account.

 

How do I do that?

 

The same way we've told you in the past, you run any user-inputted data through htmlentities() before you display it on the page.  Your code shows you doing that so your fine.

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

The never typed in their e-mail...  That is the point...

 

Maybe not on that page, but they did at somepoint, otherwise how would you know what to fill in?  So long as your not setting it up so it will pre-fill based on an ID number in the URL or something like that, there is no problem from a data-leak point of view.  The user should only be able to see whatever is on record for their account.

 

How do I do that?

 

The same way we've told you in the past, you run any user-inputted data through htmlentities() before you display it on the page.  Your code shows you doing that so your fine.

 

Okay, thanks!

 

 

Debbie

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.