Best ways to secure form data from malicious users wielding Firebug?

Question

I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.

What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?

I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.

Not just "malicious" users - I routinely run firebug on interesting pages, just to see how they are put together. — , May 24 '11 at 20:13

PeeHaa · Accepted Answer · 2011-05-24T22:18:37.000

You can't use jQuery for security since it's all handled on the client side.

In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.

Using sessions would look something like the following:

login page

<form action="login.php" method="post">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" name="submit" value="submit">
</form>

login.php

// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();

//Always sanitize the user input before doing any db actions.

//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).

// check user credentials against db

$_SESSION['user'] = $dbresult['username'];

page-where-userid-is-required.php

session_start();

if (!isset($_SESSION['user'])) {
    // user is not logged in!
} else {
    // use user info to place order for example
}

The session will be active until the user closes his browser / until the session expires (which is a PHP setting)

The above is just some sample code to give you an idea.

It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )

But that's just a whole other story :)

Thanks. I'm looking into using PHP sessions as I've never used them on a server-side script to gather user data. — Ryan Burney, May 24 '11 at 22:04
@Ryan: updated my answer to give an example of using sessions — PeeHaa, May 24 '11 at 22:18
rock on. I'll give this a whirl and report back. Thanks a ton. — Ryan Burney, May 25 '11 at 01:02

score 1 · Answer 2 · answered May 24 '11 at 20:14

1

Here are a few basic suggestions:

You need to validate form inputs using a server-side (PHP) script.
Instead of relying on sensitive pieces of information, such as member ID, from the form you could instead cache such data in your server session. That way there is no way for a malicious user to change the data on the fly.

You can still use jQuery validation as a convenience to catch basic input problems, but you can only trust data that is validated using server-side code.

answered May 24 '11 at 20:14

Justin Ethier

131,333
52
229
284

thanks for the response. Would you mind elaborating on caching data in the server session? I'm using a CMS that might already have this information available, but I'm not sure how to grab it in my server side script. Is there a standard way to get this information in PHP? (edit: I'm looking into this now) – Ryan Burney May 24 '11 at 22:00

Best ways to secure form data from malicious users wielding Firebug?

2 Answers2

Linked