0

Type = "hidden" in html is changed from f12 and break. how can i prevent this . I showed the place below. i don't know php, please help. I searched but couldn't find anything. I did a few tries but didn't work . Do my query with if?

type="hidden" f12 "devtools" everyone can edit type="email" or similar and change the input value. then you can fill in something else and send

<?php 
    // Include configuration file 
    require_once 'config.php'; 
     
    // Include User library file 
    require_once 'User.class.php'; 
    
    if (isset($_POST['part'])) {
        $data = $sql->fetch_assoc();
        exit(createCommentRow($data));
    }
     
    if(isset($_GET['code'])){ 
        $gClient->authenticate($_GET['code']); 
        $_SESSION['token'] = $gClient->getAccessToken(); 
        header('Location: ' . filter_var(GOOGLE_REDIRECT_URL, FILTER_SANITIZE_URL)); 
    } 
     
    if(isset($_SESSION['token'])){ 
        $gClient->setAccessToken($_SESSION['token']); 
    } 
     
    if($gClient->getAccessToken()){ 
        // Get user profile data from google 
        $gpUserProfile = $google_oauthV2->userinfo->get(); 
         
        // Initialize User class 
        $user = new User(); 
         
        // Getting user profile info 
        $gpUserData = array(); 
        $gpUserData['oauth_uid']  = !empty($gpUserProfile['id'])?$gpUserProfile['id']:''; 
        $gpUserData['first_name'] = !empty($gpUserProfile['given_name'])?$gpUserProfile['given_name']:''; 
        $gpUserData['last_name']  = !empty($gpUserProfile['family_name'])?$gpUserProfile['family_name']:''; 
        $gpUserData['email']       = !empty($gpUserProfile['email'])?$gpUserProfile['email']:''; 
        $gpUserData['gender']       = !empty($gpUserProfile['gender'])?$gpUserProfile['gender']:''; 
        $gpUserData['locale']       = !empty($gpUserProfile['locale'])?$gpUserProfile['locale']:''; 
        $gpUserData['picture']       = !empty($gpUserProfile['picture'])?$gpUserProfile['picture']:'';
         
        // Insert or update user data to the database 
        $gpUserData['oauth_provider'] = 'google'; 
        $userData = $user->checkUser($gpUserData); 
         
        // Storing user data in the session 
        $_SESSION['userData'] = $userData; 
         
        // Render user profile data 
        if (!empty($userData)) {
            $output = '<div class="user-card">'; 
            $output .= '<img class="userimg" src="'.$userData['picture'].'">'; 
            $output .= '<div class="userinfo">'; 
            $output .= '<div class="username">'.$userData['first_name'].' '.$userData['last_name'].'</div>'; 
            $output .= '<div style="padding-bottom: 10px;"><a class="usera">'.$userData['email'].'</a></div>'; 
            $output .= '<a class="logout usera" href="logout.php">Logout</a>'; 
            $output .= '</div></div>'; 
        }else{ 
            $output = '<h3 style="color:red">Some problem occurred, please try again.</h3>'; 
        } 
    }else{ 
        // Get login url 
        $authUrl = $gClient->createAuthUrl(); 
         
        // Render google login button 
        $output = '
            <a href="'.filter_var($authUrl, FILTER_SANITIZE_URL).'">
                <div id="googleButton">
                  <span class="icon"></span>
                  <span class="text">Log In With Google</span>
                </div>
            </a>
        '; 
    } 
?>
    
<head>
    <link rel="stylesheet" type="text/css" href="css/gwuser.css">
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
</head>
    
<div class="container">
    <form action="gwenter.php" method="POST">
        <div class="form-group">
            <?php
                if (!empty($userData)) {
                    echo( '<input type="hidden"  id="email" name="email" value="'.$userData['email'].'">');
                } else {} 
            ?>
        </div>
        <div class="form-group">
            <?php 
                // Kullanıcı giriş buton
                if (!empty($userData)) {
                    echo( '<button class="btn btn-success" id="part" type="submit">Join</button>');
                } else { 
                    echo( '<a class="btn btn-success alertsignin">Join</a>');
                } 
            ?>
        </div>
    </form>
</div>
    
<div class="container">
    <!-- Display login button / Google profile information -->
    <?php echo $output; ?>
</div>
    
<!-- partial -->
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.2/jquery.min.js'></script><script src="./js/alertjs.js"></script>

Here in this place, input place type="hidden" please help me

<?php
    if (!empty($userData)) {
        echo( '<input type="hidden"  id="email" name="email" value="'.$userData['email'].'">');
    } else {} 
?>
Daniel_Knights
  • 7,940
  • 4
  • 21
  • 49
Furkan
  • 1
  • 1
  • What do you mean by "breaking"? Please [edit] your question to include a detailed description of the problem you have. – Progman Dec 13 '20 at 22:16
  • 1
    What does 'changed from f12' mean? Is that some function key in your editor? –  Dec 13 '20 at 22:18
  • Please do NOT abuse text attributes. There's nothing spectacular in your question that requires boldface text – Marcin Orlowski Dec 13 '20 at 22:22
  • 1
    I think you mean that by using the developer tools in your browser you can modify the HTML to remove the `type="hidden"` from the input. This is simply the case, and you shouldn't try to prevent it, if that is possible at all. The more pertinent question is: Why do you want to do this? – KIKO Software Dec 13 '20 at 22:24
  • KIKO Software. because the user can send another mail instead of the email. – Furkan Dec 13 '20 at 22:26
  • The solution is to not put the email address in the HTML in the first place. – KIKO Software Dec 13 '20 at 22:28
  • 1
    Anything you send to a browser can be manipulated, **Anything**. You shouldn't trust anything you receive from a browser for that reason. If you don't want a user to edit the email address, don't send it. Find a way to match the completed form with existing user data on the server. –  Dec 13 '20 at 22:29
  • KIKO Software. sir, Is there any sample? how can I do it I do not know much – Furkan Dec 13 '20 at 22:30
  • As CatchAsCatchCan said: Do it in PHP on the server. You get the email address from PHP, why can't you do that when the form is submitted? – KIKO Software Dec 13 '20 at 22:31

2 Answers2

1

Do not do that.

TL;DR if you don't know enough to do it safely, do not do it at all until you have gotten more experienced - or believe me, you will regret it. I waited until I thought I was experienced enough. Ha! I was mistaken, and I regretted it. Do better than me.

Always assume that everything you send to the user is utterly, completely at the user's mercy. The best you can do is try to detect tampering.

In this case:

echo( '<input type="hidden"  id="email" name="email" value="'.$userData['email'].'">');

you could for example store $userData['email'] in a user session variable (see $_SESSION).

For example:

// At the beginning of all involved scripts
session_start();

...

// This comes off!
/* echo( '<input type="hidden"  id="email" name="email" value="'.$userData['email'].'">'); */
// Replaced by:
$_SESSION['email'] = $userData['email'];

Then in the other script, the one receiving the form, you can even fake having received the 'email' variable from the form, while in reality you no longer do:

session_start();
$_POST['email'] = $_SESSION['email'];
// But use filter_var all the same!
// See: https://www.w3schools.com/php/filter_validate_email.asp

Now the receiving script can be sure that the $_POST['email'] variable was not tampered with, because it wasn't even sent in the first place.

Otherwise, you can store the variable into a protected string:

 $secret = 'SeekritPasswrd';
 $hash   = md5($secret.$userData['email']);

 $protected = $hash.$userData['email'];

 echo( '<input type="hidden"  id="email" name="email" value="'.$protected.'">');

When you read the data back, verify that $protected is correct:

 $protected = $_POST['email'];
 $hash  = substr($protected, 0, 32);
 $email = substr($protected, 32);

 $secret = 'SeekritPasswrd';
 $expect = md5($secret.$email);

 if ($hash !== $expect) {
     die("Data has been tampered with!");
 }

(You think this is clever? Well, why, I did too. Lesson learned: in some scenarios, the above is not enough).

If you need to send the client elsewhere with some information, just don't:

 CLIENT ---> YOUR SERVER      form request

 YOUR SERVER ---> CLIENT      form, in which you reveal critical information

 CLIENT ---> SOMEWHERE ELSE   # DANGER, WILL ROBINSON!

Instead, use a man-in-the-middle proxying or other means to secure the information:

 CLIENT ---> YOUR SERVER      form request

 YOUR SERVER ---> CLIENT      incomplete form, in which you DO NOT reveal information

 CLIENT ---> YOUR SERVER      incomplete form with client info

 YOUR SERVER --> SOMEWHERE    complete form with information the client can't see

The above you can do in PHP using the cURL extension, or other libraries that provide the same functionality. Note: not all ISPs allow this kind of connection (from the server to another server).

 SOMEWHERE --> YOUR SERVER    reply

 YOUR SERVER --> CLIENT       reply, with critical data removed if needed

It is longer and more complicated, no doubts about that, but it is more secure.

LSerni
  • 55,617
  • 10
  • 65
  • 107
-1

This is what I do I never resend information of an item that exists in database, I simply send the item ID and query that items details from the server side. If you want to insert user details dont resend in the form. For instance a customer wants to pay for a product which already exists in a database. Pass the product id only.

<form>
     <?php echo $product_price?>
     <input type='hidden' name="product_id" value="<?php echo $product_id?>">
 <button>submit</button>
</form>

To process this form, they user should have been logged in, get the user details from session.

<?php  
      if(isset($_POST)){
         //get product details from database 
        $product_id = $_POST['product_id'];
         $product = "select * from products where id='$product_id";
        //from session get user info
        $email = $user->email;
          $data = array(
                       'product_id'=>$product_id,
                       'emai'=>$email,
                       'product_price'=>$product['price']
           );
            //insert the data to database 
       }
?>

With the above data users won't be able to manipulate some data. Here the only data passed through form was product I'd.

Ezekiel Arin
  • 115
  • 6
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Dec 13 '20 at 23:21