1

I have created a form that contains the following within its <form> tag: 

<input type="hidden" value="<?php echo $user_id ?>" name="author">

The problem I see here is that users can easily inspect element and change the value... and when doing so, affect how that value is processed in the form.

How do people make this type of form processing more secure so that users can't alter values?

Henrik Petterson
  • 6,862
  • 20
  • 71
  • 155
  • 1
    1. use encrypted data 2. use cookies to pass (semi-hidden) data – Stephen Reindl Jan 23 '15 at 15:37
  • @StephenReindl Can you please demonstrate how I would use encrypted data? This is the approach I am most interested to go with. – Henrik Petterson Jan 23 '15 at 15:39
  • What about storing value inside session on server? It may prevent you to add an hidden input on form. – Giorgio Jan 23 '15 at 15:42
  • This is what [signing](http://en.m.wikipedia.org/wiki/Digital_signature) is for. Also, if you don't want users to know the content of your data, encrypy it first and then sign it. – JCOC611 Jan 23 '15 at 17:37

2 Answers2

2

The problem I see here is that users can easily inspect element and change the value... and when doing so, affect how that value is processed in the form.

Your application should not allow any such action without full server-side authorisation checks.

If the user is not supposed to be able to change the author value, you shouldn't even bother read the author value in the form submission, take the value you originally put into the form. If the user is supposed to have limited ability to change the author value (eg. only Administrator users can change the author), then check to see if the author value is allowed for the current user, and if it isn't then generate an error.

How do people make this type of form processing more secure so that users can't alter values?

The user is completely in control of what happens on the client-side, you can't make a browser take that control away from them. The security control must be on the server side.

(Some comments are suggesting encryption to protect a value given to a user, but this is much harder to get right than it looks. Applying an encryption function alone is no protection against tampering at all; to do that you need message signing and some connection between data in the signed message and the user/session and field purpose so the user can't just paste in an encrypted value they find elsewhere. Don't go this way until you really need to, the road is littered with corpses.)

<?php echo $user_id ?>

BTW you should use htmlspecialchars() when echoing any variable data into an HTML template otherwise you are vulnerable to HTML-injection (XSS).

bobince
  • 528,062
  • 107
  • 651
  • 834
  • This is a great answer, although I do need one clarification. I am currently using htmlspecialchars() on any values passed through the form on the server-side (when grabbing the value). Are you saying that I should use htmlspecialchars() even when I echo the value on the HTML page? – Henrik Petterson Jan 25 '15 at 12:41
  • 1
    Yes, the proper place to HTML-escape is at the point you take text and insert it into HTML, in the template. It's not a good idea to do it at form-submission-reading time because that means (a) you get HTML-escaped content in the database, which doesn't search/sort properly, (b) when you do string processing on the data you risk breaking the escapes, (c) any data that doesn't originally come from a form fails to be escaped on-page and (d) and data that goes out to a format that isn't HTML gets inappropriately escaped. – bobince Jan 25 '15 at 14:38
1

I'm not the php crack but I would use something like 

<input type="hidden" value="<?php echo encrypt($user_id, $secret) ?>" name="author"/>

where encrypt() should be a php encryption function (maybe How do you Encrypt and Decrypt a PHP String? will help...

On the server side you may use 

$user_id = decrypt($POST["author"], $secret)

If conversion fails, somebody did something. To even harden your data, you could add some checksum field to cover the complete data set of hidden values. .NET ASP.NET does something similar with their data passed to the client as part of a form...

Community
  • 1
  • 1
Stephen Reindl
  • 5,659
  • 2
  • 34
  • 38