I just want to ask if there is a better way for me to pass IDs for the DB on the website.
Right now I pass it by changing the 'button' attribute 'ID' into the ID of the element I want to edit. so when I pass it to the controller, I pass along the values I want to upload and the button's ID for update. I know it's unsafe, but is there an alternative?
If it's better, can you at least point me at the right direction on good web design?
If it helps, I use Codeigniter.
Relax. There is nothing inherently insecure about passing the ID to the browser and POSTing it or putting it on the query string. The ID is not itself sensitive.
Just like Phil said above, a
<input type="hidden" name="id" value="123" />
is a common way to pass the ID around.
The element of safety comes in the handling of the next request. ALWAYS check that the user making the request is authorized to modify the data that correspond to the ID. This is generally done by checking the user's login cookie. There are other methods of authentication but the bottom line is to prove that the user you have should be editing the data they are trying to edit.
Related
I have a PHP page that can only be accessed by logged in users. Each page is unique to that particular user and is used for collection tracking.
Through PHP I have the username and user id echo'd and then wrapped in a display:none div.
I then have a couple of ajax calls that pass the username and user id when they do specific tasks (update collection, add to, delete, etc etc). This is passed to a PHP file which uses prepared statements.
I do this since I can't seem to find another way to grab the username and user id in Javascript.
Since each page is accessed only by that particular user, I'm thinking it's safe since you can't get access to another users username or ID. However I can't help but feel that this is extremely bad practice. I'm completely open to suggestions on this!
EDIT: I should also point out that I am using WordPress for authentication.
One thing to think about is ensuring you sanitise the values when you read them. For example what would happen if someone manually set the username in that div to DROP ALL TABLES; - a sql injection attack. Also why not have it as a JS variable by echoing it in a script rather than a hidden div? Otherwise it seems fine, indeed most web applications serialise data into html template to be read by scripts.
Here is an html form page
https://www.amazon.in/gp/help/customer/ces/phone-popup.html
which has input fields phone number and time to call.
Is it possible to pass the input data through link, so that it automatically submits the form with the data present in the link.
Can the link be modified to something like:
https://www.amazon.in/gp/help/customer/ces/phone-popup.html?num=9846098460&time=now
Simple and drastic answer: NO.
If YOU were the owner of the target site, you could foresee this kind of use...
Pretty rare uses for common people.
If not:
Are you trying some kind of an automatic query hack ??
Do you really think you will get such an answer on a public forum?
Think about it.
SO reviewers: CLOSE THIS QUESTION!
I wouldn't say so... The way the form data is sent to the remote server is probably through a HTTP POST request triggered from Javascript (when you click the "Call me" button). Therefore, it's not possible for you to automatically submit the form by passing the arguments in the URL.
You need to show code so we better help you but here's a thought.
Yoursite?date=jaz&id=2323;
In your form, you do something like
<input type="text" value="<?php if(isset($_GET['jaz']{echo $_GET['jaz']})) ?>"
Then in you Javascript
You can just submit the form when the page is loaded.
This is just a basic framework but you may want to consider security and check for emptiness when the actual form is submitted
I allow my users to favorite an update or a forum topic.
So when a user tries to favorite one of these i will send via Ajax 2 things, the item_id(update or topic) as id(ex. 1321313213) and its type("update" or "topic") as string.
However lets say someones tries to favorite an update with the id untouched but the type is changed to "topic"(via firebug or whatever else)...
This should not procceed since this combination is not correct... how can i assure that the item_id being sent is an update or a topic since this ID might co-exist in both tables???
Current solution:
Create a hidden input element and add as value 5 random characters (a-zA-Z0-9) and md5 type name(update or topic)
like:
$random_str = $this->my_model->generateRandomString(5);
<input type="hidden" value="<?php echo $random_str.md5("update"); ?>" id="type" />
so when i try to validate the data to check if it is an update or topic i split the type on the first 5 characters and later and check if the later characters are md5 hashed are update or topic and continue validation
I would like some help in case this can be altered as well...
Your server side script (PHP) must always assume it's getting bogus data. Never rely solely on javascript to handle any sanitization / verification.
If your javascript can determine if the job should be "update" or "topic", I'm sure your PHP can do that as well. Probably using a few more DB queries or some such, but that's the price you've got to pay.
Your are looking at the problem from the wrong perspective. Especially from You server side (PHP) code.
Your server gets data. It gets data which is something like that: user (from session), id and type. Your server needs to ask a question: is it valid data? If it is -- save it to DB; If it is not -- do not save it to DB. It is that simple.
You can look from this perspective: Your client side code is just one way to communicate with Your server. Another way is using web browser + firebug. It is perfectly valid usage of Your server side application. And Your PHP code should not care how request reaches it.
So if Your current code does not allow You in Your PHP code feel comfortable and freely decide if is it update or topic creation than Your need to change Your server side code (and perhaps DB schema) as well.
Your current solution is not good, because if I know how to use firebug I would probably find out that "9d9b68ac2b1de18d3712096354b3c3a5" means "topic" and "3ac340832f29c11538fbe2d6f75e8bcc" means "update".
I think Your are trying to invent Your own CSRF protection. So go on Internet and read about it.
This is sort of a generic "Good Idea/Bad Idea question".
My scenario: I am writing an ASP.NET MVC3 app that is just 1 page (one View/Controller). This view shows a grid of "Cases" and when a user clicks one of these Cases, I use jquery ajax ($.ajax) to swap out the visible portion of the page and load the details of this Case (but never change the page).
Still with me? Thanks!
Now, once this new Case detail view is shown, the user can edit the Case in one of many ways. Change the priority, change the status, etc. I am using jquery's ajax function for this as well.
My question: How should I store the Case ID? Is it ok to store it in the HTML? Is there a better place to store it?
All of the Cases have a Guid ID, and currently when the Case details are loaded (using ajax) I add a custom attribute to the Case detail view <div> so I know the Case ID. This means that the Case ID is visible to anybody viewing the page source. I thought about using jQuery's .data() function to store it, which wouldn't be visible to page source, but would be accessible from Firebug other inspector tools.
What is the best practice for this? I really can't imagine how my user's would do anything with the Case ID, but I am trying to be a bit paranoid here.
Thanks in advance for any thoughts! And thanks for reading this novel!
There's very little you can do about things which the browser gets to see in any fashion, since code and data in the DOM are not protected from the user.
Obviously you don't want to send anything to a user who is not allowed to see that information - so you don't want to do any client-side filtering of data that is dependent upon user role.
But as for internal data, you just have to protect your perimeter - methods can't accept ids which are mismatched (i.e. an account id which is only valid for a different customer being submitted) - but there's very little you can do about the ids themselves.
By sending the case ID from the server to the browser, you are giving it to the user. If you don't want the user to have the case ID, don't send it to the browser.
I'd provide some sort of sanitized, "imaginary" ID if you're that concerned. If this were running in a loop, I'd suggest basing it on the loop index.
Ultimately however, you'll need to use some sort of unique identifier on the Case that will identify it in ajax calls to the database.
Really though, I've done the same thing before and just encoded the ID field in the markup, and it's rarely mattered. This ID is only a harmful thing to have out in the open if your security is lax. If you've secured your database and have a decent level of security on the app, then you should be fine. If you haven't, then you have bigger things to worry about than markup.
I need to pass a URL and domain type from one HTML page to another and apparently the best way to do this is using java-script to create a cookie and pass the value to the next HTML page, but I do not know anything about cookies or even where to start. Where can I find a good guide to get me started with cookies and/or how to pass the value from one form to another? Is there a simpler way instead of using cookies? Thanks!
There is more than one way to do this:
- You can pass the values using GET or POST variables.
- Save the value in the session (depending on the language this can be more or less easier).
- Or save it to a cookie.
I think the easiest way to do it is to use POST variables (is as easy as with GET but you should avoid passing an URL in the url itself).