Jump to content

[SOLVED] PHP Form Security - A Few Questions

electricshoe

By electricshoe
in PHP Coding Help

 Share

Recommended Posts

electricshoe Member

electricshoe

Posted
Posted

Question 1:

 

I just noticed that with developer extension in firefox you can change the values of hidden fields to whatever you want and then submit the form. This is pretty much fatal to anyone using paypal's easy form code to process simple transactions (I don't use this, but just an example, since you could edit in your own price or anything else you wanted)

 

Is there anything php can do to stop this? Do I need to write a much more advanced poster so I can store the variables in php and then have them posted with http headers, or is that just as vulnerable?

 

 

Question 2:

 

Is there something I can put in my form processor to make certain that it doesn't process post information that originated outside my server? Is checking the HTTP_REFERRER good enough to do that?

 

 

 

I couldn't find much clear documentation about this, specifically the dev extension problem, but it fundamentally breaks hidden inputs. My code is secured against SQL injections and everything else very well, but I don't know how to address these issues, and I don't like to take chances with security. So your help is very much appreciated!

Link to comment
https://forums.phpfreaks.com/topic/86190-solved-php-form-security-a-few-questions/
Share on other sites
electricshoe Member

electricshoe

Posted
  • Author
Posted

My specific problem is that I'm using hidden fields to tell my form processor what to do (update, delete, insert, etc).

 

I'm kind of a noob with sessions, but if I set it (and display an SID in the url is out of the question for the application), would that put a cookie on their machine with the values? I could just encrypt that and then decrypt it back on the server though right?  That sounds awfully complicated for just passing a few variables that are independent to each form.

 

My system is currently setup so that I can generate multiple forms on the same page each with validation and everything else, so if possible I'd just like to pass the variables to the form processor, do I need to create a whole thing to pass it through the http header when it goes to the post? And my big question is, is this more secure or would it still allow tampering.

 

I'm configuring how each form behaves separately and then passing it to a universal processor that executes it. There cannot be anyway to alter that behavior data or else I have a BIG problem. So whatever way that allows me to pass it without any accessibility to the user is what I need.

 

Thanks!

Grant Holmes Member

Grant Holmes

Posted
Posted

FWIW, I was passing hidden fields to my db also. These were ones that I can't image why anyone would mess with them, but nontheless, I didn't want them to. My form uses a processing.php file created by FormsToGo. I'm not up on PHP enough to handle that.

 

Anyhow in that processing script that you can't get to, I pass those variables like this:

if($FTGIP == "")  $FTGIP = $_SERVER['REMOTE_ADDR'];

if($FTGEvent == "")  $FTGEvent = "feedback";

if($FTGActive == "")  $FTGActive = "0";

 

In this case, I wanted to pass the IP address, the reason for the form and make the file inactive, so my client could make them active (viewable publically) when they chose to.

 

In the code above, I KNOW the variable will be blank off the form as I don't define it there. Hope this gives you an idea. I'm not sure this is 'great' or elegant, but works for me.

electricshoe Member

electricshoe

Posted
  • Author
Posted

Thanks, but I've been reading fervently on session stuff to become less of a noob at it.

 

What I had before was this:

 

function draw_process($table, $type='insert', $conditions='')
{
echo '<input type="hidden" name="form_table" value="'.$table.'" >';
echo '<input type="hidden" name="form_process" value="'.$type.'" >';
echo '<input type="hidden" name="form_conditions" value="'.$conditions.'" >';
}

 

Now I've changed it to this

 

function draw_process($table, $type='insert', $conditions='')
{	
$_SESSION[$GLOBALS['form_name'].'_'.$GLOBALS['form_id'].'_form_table'] = $table;	
$_SESSION[$GLOBALS['form_name'].'_'.$GLOBALS['form_id'].'_form_process'] = $type;	
$_SESSION[$GLOBALS['form_name'].'_'.$GLOBALS['form_id'].'_form_conditions'] = $conditions;
}

 

The globals are generated each time I run a draw_form() function, to ensure that each form on the page has unique variables. Now the fun problem is I need to pass ${$GLOBALS['form_name'].'_'.$GLOBALS['form_id']}, which is the name attribute of the form I'm submitting, but unluckily I can't simply pull in the name of the form being submitted through post.

 

So now I need to be able to recognize what form has been submitted in the processor without using $_GET or a hidden field, I suppose a hidden field that has the same name as the form? and then I operate of its name and ignore its value?

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.