1

How can I prevent users from forging forms on the PHP or jquery side, I am using Jquery's ajax functionality to submit the forms, and this means that tech-wise people can change some variables such as the value of something (that shouldn't be changed / is a user id or something like that) through the use of firebug or web inspector and likewise.

So how can I prevent users from changing these variables or making sure they are unchangeable through a secure and good way?

Thanks

H Bellamy
  • 22,405
  • 23
  • 76
  • 114
  • 1
    Wow, its kind of scary that you think this might be possible. – rook Dec 16 '11 at 16:33
  • Possible duplicate of [How to properly add CSRF token using PHP](https://stackoverflow.com/questions/6287903/how-to-properly-add-csrf-token-using-php) – Liam Mar 08 '18 at 14:44

5 Answers5

4

As the others have already stated, you can't prevent the user from tampering.

You are receiving data from me, and I can send you anything I want, I can even do an HTTP request by hand, without even using a browser, and you can't do anything about it.

If you don't want a user to be able to alter an information, don't provide it to him.

You can store it in PHP's session, which is stored server side (do not use cookies, they too are sent to the user) or save it in a database, both of them are not accessible to the end user.

If you still want to pass the data to the user, compute some sort of hash (a secure hash, using a secure hashing algorithm and a secure message digest as Gumbo noted, this rules out algorithms like CRC32 or MD5 and MACs like your name or birthday) of the data and store it server side, then when the user submits back the data, check if the hashes match.

But do know that this solution is not 100% secure. Hashing functions have collisions, and bad implementation exists.

I would recommend to stick to the golden rule: if it's not there, it cant break / be tampered / be stolen / etc.

Community
  • 1
  • 1
Albireo
  • 10,977
  • 13
  • 62
  • 96
  • 1
    Use a proven [message authentication code](http://en.wikipedia.org/wiki/Message_authentication_code) for this purpose. – Gumbo Dec 16 '11 at 10:45
2

You cannot prevent users from doing so.

Thariama
  • 50,002
  • 13
  • 138
  • 166
  • Why? If the variables come from the server they can be bound to a token. If the client submits the form the values don't match the tokens someone forged the request. – luastoned Dec 16 '11 at 09:54
  • it is not possible to prevent the user from changing page data using javascript or a debugging tool, the server session seems to be the only way to make form submission somewhat reliable, but that is a server-side approach – Thariama Dec 16 '11 at 09:58
  • Since the OP asked for either PHP (server) or JQuery side.. that would be possible. – luastoned Dec 16 '11 at 09:59
  • taken this into account the session variables will provide the most reliable feature here – Thariama Dec 16 '11 at 10:08
2

Store these variables in a Session.

Nick Shvelidze
  • 1,564
  • 1
  • 14
  • 28
2

You can never trust the client. Validate the form on the server to ensure the data is sane. This means checking that a given user ID has permissions to post their form, etc.

Interrobang
  • 16,984
  • 3
  • 55
  • 63
0

I'm going to go with... you can't. You never trust the user's data; client side verification is always only the first line of defense.

Aaron D. Marasco
  • 6,506
  • 3
  • 26
  • 39