-2

I have been developing a social network. I have noticed some security issues where the user can change the variables in javascript/jquery to other user_id's, text content, and other information that has been loaded into the scripts. And this is all done via the inspect tool or other software that can edit the languages. They can even rewrite the functions.

I load data onto the page via php and sql after sending the url_id to a php function.

I have javascript and jquery scripts that in return use this data to perform ajax, post, and get requests and to perform functions.

How can I stop the user from changing these variables before they are sent off to the server? For example when a user makes a post they can change the id to make it someone else's post, or when they click delete an image they can delete someone else's and it gets more complicated. This is a huge concern.

These scripts are included in the php pages or in php scripts that are loaded via ajax.

How can I stop this? Can you give me an easy explanation? I have been searching for months on how to stop this. I still don't understand how to stop the user from doing so. If there is another way could to do this? Can you provide me with true 100% examples? What are the other options I have?

Here are some snippets of my code

    <? if (login_check($mysqli) == true) : ?>
    <script>
        $.post("auto/online.php?q=<? echo $id ?>");
        function o() {
            setTimeout(function() {
                $.post("auto/online.php?q=<? echo $id ?>");
                o();
            }, 6e4);
        }
    </script>
    <? endif; ?>

    <?php echo '<div class="post-btn" onclick="ajaxPost(postenter.value,\''.$name.'\',\''.$id.'\');" title="Post">Post</div>'; ?>

    function ajaxPost(content,name,id) {

    var ip = '<?php echo $ip ?>';
    content = content.replace(/<br\s*\/?>/mg,"\n");
    var postArray = [content, id, ip];
    postArray = JSON.stringify(postArray);
    alert(postArray);

    if (content.length == 0) {
        alert('Oops it looks like your post is empty.');
    } else {
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.onreadystatechange = function() {
            if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
                document.getElementById("postenter").innerHTML = "";
                var html = xmlhttp.responseText; 
                alert(html);
                $(html).hide().insertAfter("#wrapper").fadeIn(500);
                document.getElementById("postenter").value = "";
            }
        }
        xmlhttp.open("POST", "auto/post.php", true);
        xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xmlhttp.send('data=' + postArray);
    }
    }

    <? if ($id == $user) : ?>
        <div class="modalSetPro" onclick="setProImage(<? echo $picID; ?>,<? echo $uid; ?>)">Set Profile</div>
        <div class="modalSetBac" onclick="setProCover(<? echo $picID; ?>,<? echo $uid; ?>)">Set Background</div>
        <div class="modalDelImg" onclick="delItemPre(<? echo $picID; ?>, 1, <? echo $uid; ?>)">Delete</div>
    <? endif; ?>

    function delItemPre(itemID, type, user) {
        var modArr = [itemID, type, user];
        modArr = JSON.stringify(modArr);        
        $("#LoadMe").load('modals/del_modal.php?p=' + modArr);
    }
DarkMoria
  • 90
  • 13

4 Answers4

1

You are not able to prevent this, which is why server-side validation is required.

Here is a stackoverflow discussing it: Why do we need both client side and server side validation? There is some good information here: http://www.w3schools.com/php/php_form_validation.asp

Basically, you want to put your validations in the PHP page that you are posting your ajax to.

Community
  • 1
  • 1
Jamieson Rhyne
  • 428
  • 3
  • 10
  • Could you provide an example of how to validate this server side? I have posted some code snippets – DarkMoria Jul 15 '15 at 18:20
  • I edited my response to add some information for you. – Jamieson Rhyne Jul 15 '15 at 18:28
  • I understand how to do php checks on forms, but what about validating user id's so they can't change it to someone else's on the client side with php? – DarkMoria Jul 15 '15 at 18:34
  • Ahh, I understand. The only way I know of to handle this is to return the PHP session id to the client, and include this back in your request. Then make sure that the session id is valid, and that the user in that session has access to the id. You should always re-authorize access with each request. – Jamieson Rhyne Jul 15 '15 at 18:39
1

How can I stop the user from changing these variables before they are sent off to the server? For example when a user makes a post they can change the id to make it someone else's post, or when they click delete an image they can delete someone else's and it gets more complicated. This is a huge concern.

You can't.

Your server side code should evaluate the user's privileges and decide whether or not they can do the action. JavaScript validation is more for the user experience - guiding and preventing mistakes.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • Would you care to provide an example of a php page to validate this with a code snippet I've used? – DarkMoria Jul 15 '15 at 18:26
  • @DarkMoria No, I'm not going to write your code for you. Examples of PHP-based server-side validation are easily found. – ceejayoz Jul 15 '15 at 18:34
  • Thanks for your feedback, over the course of 5 months I've learn a lot about security. Thanks. It is tough for new users to learn the full view of real "server side" code, and what you do and don't do. – DarkMoria Dec 25 '15 at 07:48
0

Store and check all insecure data on server side, not client. This way user can't change it.

Evgeny Bovykin
  • 2,572
  • 2
  • 14
  • 27
0

First of all when you are working on client side you have no control how user interact with you jquery or javascript code. So thumb rule is that never expose sensitive data in html or java script.

More over If you are curious about security you have not required to load User id in hidden field or any other client side code(html). In you case like when user is replying to any post you have to crosscheck at server side whether current logged in user is authorized to perform this task or not. also cross check whether this post is relate to current logged in user. I have no knowledge about php but in asp.net we can create a session at server side and when user post data get the User id from session not from html content posted by user.

Rajesh Kumar
  • 2,443
  • 3
  • 28
  • 43