1

Let's say I have a website where the user can edit his profile.

<form action="profile-processor.php?action=edit&id=888" method="POST">
    <input type="text" name="name"/>
    <input type="submit"/>
</form>

And profile-processor.php contains:

if(!empty($_GET["action"])) {
    if($_GET["action"] == "edit") {
       $query = "UPDATE TABLE users SET name = ".$_POST["name"]." WHERE id = ".$_GET["id"];

    ... ... ... 
    }
}

What if someone that has nothing to do with this web application creates an HTML form, and in the action he puts "profile-processor.php?action=edit&id=xx" and sends the data? Will it edit like if it was sent from it's own website?

What can you do to hide the action or at least critical details like 

<form action="process.php?action=SOMETHING_I_DONT_WANT_YOU_TO_SEE&id=THE_ID_YOU_SHOULD_NOT_KNOW">
</form>

I'm creating a web application that hast a lot of forms that will edit database information, I just want to make sure I have some critical security.

EDIT:::::::

I know how to use PDO and Prepared Statements perfectly, this question is more about the client-side stuff sending information to the Server side controller.

Improve this question
2
  • Use POST rather than GET? Commented Sep 10, 2014 at 5:08
  • Will the hidden inputs actually hide the name and values of the elements being sent? . You can see them when seeing the source code Commented Sep 10, 2014 at 5:12

3 Answers 3

Reset to default
1

The best way that i have found is to use the session variables, create a random token for each user and verify if the user is realy loged in

Another way is to generate a random code and send it on a hidden field 

<form action="profile-processor.php?action=edit&id=888">
    <input type="text" name="name"/>
    <input type="submit"/>
<input type="hidden" name="token" value="{generate random number here}" />
</form>

Then verify that the token realy exists inside process.php

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

First, if your user is editing his profile then he is logged in, right? So why are you allowing the id to be passed in at all? You already know the user id, most likely from the session. The only data you need from the form in this example is the information to update.

Second, your query as posted is vulnerable to SQL injection. There are tons of questions on SO to show how to fix that.

Last, to address other answers, while you should use POST data when modifying something, it is in no way more secure than GET.

Improve this answer

2 Comments

Thank you. Yeah, as I put in the question Edit, I already know everything about query security, I was just making sure I could also know better about client-side stuff that makes my app more secure. Thanks for your answer!
In the future i would not post code with sql injection problems in your question. How are we to know that you do know to avoid that if you are showing that as your example? :). I would even edit the question to show what you are doing.
0

Use POST method instead of GET

Improve this answer

3 Comments

Thank you for your answer... Will the Destination script only receive POST data from the web application it is working within? Or might it receive POST data from external web forms.
yes it is. when submitting a form with a POST method it only accept POST data besides you can check in the script with if(!empty($_POST["submit"])) { } $_GET has different purposes. for tighter security use POST method
@RobertDeanPantino you can post data to another domain. Using post here is what should happen because you are modifying a resource, but changing from get to post does not make this form secure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.