0

I have an admin page that lists a bunch of records and each record has a checkbox next to it to set it to an "active" status. Each checkbox has a value on it that is tied to the ID of the record in the database. If somebody used FireBug they could easily change the checkbox's value to a different number thus effecting the wrong record in the database.

I'm not extremely worried about this happening because its just an admin page that will just have one user and I'm sure he doesn't know anything about FireBug.. but was just curious incase I run into this problem in the future on a more public-facing page.

Here's the code I currently have just so you can get an idea of what I'm doing.

The HTML + PHP..

<input type="checkbox" class="active" name="active<?php echo $id; ?>" id="active<?php echo $id; ?>" <?php if ($active == 1): ?>checked="checked"<?php endif; ?> value="<?php echo $id; ?>">

jQuery ajax..

$("input.active").click(function() {

var loader = $(this).prev().prev();

$(loader).css("visibility","visible");
// store the values from the form checkbox box, then send via ajax below
var check_active = $(this).is(':checked') ? 1 : 0;
var check_id = $(this).attr('value');

console.log(check_active);
console.log(check_id);

    $.ajax({
        type: "POST",
        url: "active.php",
        data: {id: check_id, active: check_active},
        success: function(){
            $(loader).css("visibility","hidden");

        }
    });
return true;
});

Here is active.php..

<?php

include("dbinfo.php");
mysql_connect($server,$username,$password);
@mysql_select_db($database) or die( "Unable to select database"); 

$active = mysql_real_escape_string($_POST['active']);
$id = mysql_real_escape_string($_POST['id']);

$addEntry = "UPDATE entries SET active = '$active' WHERE id = '$id'";
mysql_query($addEntry) or die(mysql_error());


mysql_close();
?>
AstroCB
  • 12,337
  • 20
  • 57
  • 73
Dustin
  • 4,314
  • 12
  • 53
  • 91
  • Just to clarify are you worried about an admin changing records they should not be changing? If so this is just a permissions issue and should be dealt with via ACL. I can't see anyway around embedding an id within your JS / HTML to trigger each record, and this is fine and the normal way to do things. However if you're worried about changing something they shouldn't you should just check that they are allowed to do it. – Steve H Jun 22 '12 at 14:32

2 Answers2

2

You should be setting a $_SESSION value with their account information in it so if they try to access an account that isn't there's you can catch it and flag it appropriately. Just the ID number of their account probably would be sufficient. You definitely should not be putting this in hidden fields or anywhere where the user can change it.

John Conde
  • 217,595
  • 99
  • 455
  • 496
  • Hmm, in this case he's talking about an admin who would I assume be able to see all the data, therefore he has to use an ID exposed otherwise how would he know which record needs to be updated? I agree on the $_SESSION though, the issue is not that the values are within hidden fields, just that he needs to check permission(s) before carrying out the query. – Steve H Jun 22 '12 at 14:36
  • Your answer came up after Googling "prevent checkbox from being changed php" for this question http://stackoverflow.com/q/30645705/ - *3 seconds on Google*, classic. – Funk Forty Niner Jun 04 '15 at 14:02
1

You can't.

firebug has full control over the HTML.

But your not worried about HTML, your actually worried that the user will do something funky in active.php, which is exactly where you should add more protection.

If an admin has the right to edit the active state of entries, then he should be able to edit any entry he wants in any way that you will allow it.

The security issue that you describe where some malicious admin can change the id in the HTML and have the wrong record change the active state is nothing compared to an even more malicious user that can send a post request to your active.php page just like your ajax script does, but using his server, effectively having access to change any active state on any entry.

What you should do is to perform some kind of authentication on the active.php

Be it using SESSIONS or HTTP

Timo Huovinen
  • 53,325
  • 33
  • 152
  • 143
  • Good answer, this is what I was referring to in my comments, exposing id's is a moot point, ACL = solution. – Steve H Jun 22 '12 at 14:42
  • @SteveH I prefer [Capability based security](http://en.wikipedia.org/wiki/Capability-based_security) over [Access Control Lists](http://en.wikipedia.org/wiki/Access_control_list), but I think thats too much info for OP – Timo Huovinen Jun 22 '12 at 15:06