Protecting a form from being manipulated

Question

Hello my dears you always help me go further.

I have a problem with a form.

How can I protect it from user manipulation after being submitted?

FORM

<form method="post" action="/selling.php" />
<input type="hidden" name="user" value="{$_SESSION['session_username']}" />
<input type="hidden" name="price" value="$price" />
<input type="hidden" name="nick" value="$nick" />
<input type="hidden" name="class" value="$class" />
<input type="hidden" name="amount" value="$amount" />
<input type="submit" name="reset" class="input_submit" value="Submit" />
</form>";

How does it work?

The user logs in on my website, then based on his "$username", I retrieve his info from DB (nickname,class) and based on some conditions I create a "$amount" and "$price" for it.

Everything goes automatically, all the user has to do is to click the "Submit" button.

But I found out that he can manipulate the whole form and change for example the "$price" to 0...

What should I do and how?

Answer 1

Wherever you might derive $amount and $price from, it seems to be calculated before outputting the form. This means you can also just store those two values in a session like

$_SESSION['amount'] = $amount;
$_SESSION['price'] = $price;

and get rid of them in the form completely. You will be able to access these sessions in selling.php so long as you start the session before trying to access it by doing:

session_start();

Through this, none of the sensitive information will be shown in the form/source code, but it will still be available in selling.php.

Remember to always do validations in the backend, i.e. php code, never in the front end.