0

This is a security "principle" question...

This form includes a hidden field, which gets included in the POST request, and tells the server-side code which row in the database table to update (assuming all the fields have been properly validated)

<form method="post" name="update">
<p><input name="table_row_index" type="hidden" value="102" /></p>
<p><input name="Name" type="text" value="Adam Black" /></p>
<p><input name="Submit" type="button" value="Submit" /></p>
</form>

Couldn't someone edit the HTML and change the "table_row_index" value to a valid number and thus overwrite a row they shouldn't have access to?

So, my questions really are...

  • Should you use the table index in the form as the row id?
  • If not, how would you tell the PHP which row to update? (please assume the form is not page specific... the contents are updated as per a user action).
Dharman
  • 30,962
  • 25
  • 85
  • 135
Dave Moore
  • 1
  • The Client-side can always be altered *(this won't affect your site itself)*. Validation on the Server should take place before database table insertion. – StackSlave Jan 02 '20 at 01:18
  • Presumably your table row includes information about who "owns" the data in the row and who should have permission to update it? If so, then compare that data with information about the current user. If you don't have that information then you need to redesign your database. – Dai Jan 02 '20 at 01:18
  • Test for the proper `$_POST` or `$_GET` variables and use Regular Expressions, for validation on the Server *(assuming you're using PHP)*, before using [Prepared Statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) to do your `INSERT`s. – StackSlave Jan 02 '20 at 01:26
  • 1
    The *source* of a variable doesn't matter. It's *destination* that matters. Is a variable going to be used in the SQL query? Then it *is* dangerous. – Your Common Sense Jan 02 '20 at 07:39
  • Thanks, but all these comments seem to miss (or re-make) the original question. The SQL needs a row index number, e.g. " ...WHERE index = '102'..." So how do deal with the issue of a form that tells the server what index to update, without giving the client the ability to modify the index... surely this is something people have had to think through in the past? – Dave Moore Jan 02 '20 at 22:19

0 Answers0