Say in my ajax request page, I have a row of results pulled from the database that looks something like this:
while ($stmt->fetch()) {
echo "<p value='".$taskId."' class='titleRsltTask'>".$taskTitle."</p><br>";
}
Here $taskId is the primary key for the row returned. When the results are returned to the DOM, a user can inspect and change this id. Say I have another ajax request to delete or update the above results when .titleRsltTask is clicked,
$(document).ready(function(){
$('.titleRsltTask').click(function(){
id = $(this).attr('value');
$('#taskResults').load('Includes/updateTask.inc.php', {
Id: id
});
});
which uses the value $taskId to find which row to update in updateTask.inc.php.
What are some ways I can verify that the row that the user is updating belongs to them so that they can't update any rows in the table by changing the value in the inspect element?
Is there a better way to set this up in the first place? Does using an SSL help in any way?
Are there other security measures you want to point out, I'd be glad to hear them.
I've done some research on authorization, authentication, and encryption but still not exactly sure what to do in this situation.
I do understand your concern about security, as the value returned are auto incremented numbers.
Using a ssl wont encrypt or provide you any security with such things.
SSL only encrypts other users connection to your website.
SSL encrypts the packets transmitted to your website.
One way you could apply additional layer of security is by encrypting the numeric id returned from the server using some salt algorithm and displaying it in the view in encrypted format.And then decrypt it at the server.
Updating and changing the encrypted value wont do any good even if someone changes it using inspect element, as that would not be processed into a valid value when being decrypted in the server.
Hope this helps.
Thanks
You should reconsider your table structure. If users are only able to change certain row, then on each row include the user ID that can edit it, use authentication with the request (by including a session cookie etc), and add that logic to the UPDATE command. If a group of users can change certain rows, then have an extra column specifying the group ID/privilege, and ensure each user has a privilege level set.
Related
I have a PHP page that can only be accessed by logged in users. Each page is unique to that particular user and is used for collection tracking.
Through PHP I have the username and user id echo'd and then wrapped in a display:none div.
I then have a couple of ajax calls that pass the username and user id when they do specific tasks (update collection, add to, delete, etc etc). This is passed to a PHP file which uses prepared statements.
I do this since I can't seem to find another way to grab the username and user id in Javascript.
Since each page is accessed only by that particular user, I'm thinking it's safe since you can't get access to another users username or ID. However I can't help but feel that this is extremely bad practice. I'm completely open to suggestions on this!
EDIT: I should also point out that I am using WordPress for authentication.
One thing to think about is ensuring you sanitise the values when you read them. For example what would happen if someone manually set the username in that div to DROP ALL TABLES; - a sql injection attack. Also why not have it as a JS variable by echoing it in a script rather than a hidden div? Otherwise it seems fine, indeed most web applications serialise data into html template to be read by scripts.
I am looking for a way to use AJAX and jQuery to store data from one form in another without losing the values. I want to be able to keep this data away from the front end user and allow them to remove the information should they wish to. I need to be able to get this information out when the user submits the data. I would like to be able to store the values in an associative PHP array if possible, for example:
<?php
$information = array(
"first_information"=>array(
"name"=>"Sam Swift",
"age"=>21
),
"second_information"=>array(
"name"=>"Example Name",
"age"=>31
)
);
?>
I would have used a database for this but because of volume this will not be possible. I want to keep the data away from the user so that they have no access to it at all, the data should be held where the user has no way to see it, access it or change it. This is due to the nature of the data and all of it should be as secure as possible.
Any information that you store client-side is naturally going to be accessible and mutable by the client. If this sensitive data is data that the user is entering, then you really shouldn't worry about them manipulating the data (because that is what they are supposed to be doing). If however it is data that is being sent by the server - and never displayed or used in that form by the client - this is data that should never leave the server in the first place.
Ajax is not specifically a solution to this problem - whether you send the data asynchronously (i.e., piecemeal with Ajax) or as a full HTTP post is immaterial. You need to store the sensitive data on the server only along with a session ID to associate it with the client session.
Without knowing exactly what data you are storing nor what you are doing with it, it is difficult to advise you how to proceed. You should rethink how you are structuring your application if you are sending sensitive data for the client to work with. The client should only ever see the input and the results. The processing should be done on the server.
For example: perhaps your user is adding an amount to a bank balance. The user enters the amount on the client. but you don't want the client to see or be able to modify the actual value. You could send the balance to the client, perform the addition operation, then send the total back to the server. Far better would be for the client to send the amount to add to the server, which would then add the value to the balance, and return a confirmation for the client to display.
I have a form where users can buy credits with PayPal or banktransfer as payment option.
If a user selected "PayPal" as an option, the form data will be send to PayPal, using JQuery/JS:
$(':radio').change(function () {
var $this = $(this).val();
if ($this === 'pp') {
$('#form').attr('action','https://www.paypal.com/cgi-bin/webscr');
}
else
{
$('#form').attr('action','');
}
});
The user can also choose how much he wants to pay, which also selects how many credits he'll get from it. Additionally he can add a coupon-code. An Ajax-Request will check our database, if this is a valid coupon and grants the discount-value then.
All informations are stored in hidden input fields (what the price is, how many credits, how much discount (if any), user id, etc.).
Now, I want to make sure that the user doesn't manipulate these values with Developer Tools or similiar things to pay less, use another user id and so on.
What would be the best possible way to prevent this form manipulation and receive the correct data? I assume it's kinda difficult because there are so much values to change.
Data Forgery / Manipulation
There are many nefarious means of sending manipulated or forged data to a web server - cURL, Http Client (OSX app) just to name two that I use frequently when debugging. A determined attacker will send bad data to the HTTP server no matter what Javascript you think up.
Think outside the box
For security needs, it's time to break out of the mental model of using a web browser because it's a web site. As already stated, there are many ways to send data to an HTTP server.
Javascript is good for the UI and helping the user, but when it comes to securing your service against intentionally bad/wrong/malformed data, you must do that on the server.
Your particular problem
You may need to re-think using hidden form fields. One approach would be to use sessions to keep track of this info. If this is information that must be sent to PayPal in their form, there is a way to embed the PayPal form using encrypted data.
If you don't want to do this, the point of security then moves to the order processing code - look at the transaction details (currency amount, etc) before considering that a transaction is complete and valid.
Upon completion of an ajax call I would like to direct the user to an html page, but at the same time passing a hidden variable (this variable contains sensitive information and should not show up in the URL).
How can I accomplish this?
window.location.href = 'userpage.html?id=14253';
But with the id remaining invisible? Can I POST the id somehow while sending the user to userpage.html?
You should not be checking user credentials on the client side of your website. Regardless of how the ID is being passed to your script, it can be replicated without you being able to check if the request is valid.
To start being even remotely secure with what information is granted to a user, you need to be checking it via the server side. With every request, ensure the user is authenticated to view such data.
If I were you, I would look into using PHP sessions as the first line of defense for checking if a user is authenticated. Doing so will at least keep the information about a user out of a replicable space that can be viewed by the user.
Look up 'php session login tutorial' on Google and you will find plenty of simple tutorials which should get you on the right track.
Example Tutorial
No matter what, the information you pass along is insecure. You can submit a post request using XMLHttpRequest objects if you'd like (or use a framework/library to make AJAX calls) -- but the user could still spoof the data and get different results.
ID enforcement should be done in the backend. Does the requested ID match the ID of the user signed in? No? Don't show it. etc etc.
First of all, thank you so very much for making jqGrid! It's an excellent piece of work!
When my index.php file POSTs the JSON-encoded search criteria to my grid.php file, grid.php processes the criteria, queries the database, and returns a JSON-encoded string back to index.php, which in turn takes the results and renders them in a jqGrid table.
Everything works splendidly.
However, if an in-house user points their browser to grid.php, it will return a set of records that satisfies the default criteria (30 records per page, the fields and their data, as programmed). And because I have it setup to POST, a user could append query parameters manually to grid.php, e.g.:
http://foo.bar/grid.php?clientID=123&city=anytown
I've placed security checks in both my index.php and grid.php. As an example:
if(userGroup='Sales'){
$sqlstr = "SELECT * FROM table WHERE group='SALES'";
}else{
$sqlstr = "SELECT * FROM table";
}
But the problem is that they can bypass these checks by pointing their browser to grid.php directly.
Does anyone have suggestions of how to secure the string that's returned by grid.php?
UPDATE
Per Justin's suggestion, I think that I might be on the right path now. Something like this might work:
$trace = debug_backtrace();
if ($trace[0]['file'] != 'index.php'){
echo "There was an error. Please contact your Systems Administrator.";
return 0;
}
Well, that didn't work as expected. I'm leaving this info here for posterity.
You need to add PHP code to secure the grid.php URL. First, if it is feasible for your application, you can add an authentication system to prevent just any users from accessing the URL. Once that is in place, you could secure it even more by adding role-based or user-based permissions.
For example, only allow the user group of "sales" to be appended if the user provides that option and they are a member of the "sales" group.
How you will actually implement this depends up on what PHP framework you are using (if any) and the requirements of your application.