Reputation: 4947
Can user change input from readonly to editable?
I'm using MVC for my data entry form and I have the following div:
<div>
<label>Bar Code:</label>
@if (Model.GiftCardId == default(int))
{
@Html.TextBoxFor(model => model.BarCode)
}
else
{
@Html.TextBoxFor(model => model.BarCode, new { @readonly="readonly"})
}
</div>
Here, I'm making sure that if the user is entering a new gift card, an editable input is displayed to allow the user to enter a new bar code. But if the user is editing an existing gift card, the input must display as a readonly input. My question is: can the user alter the readonly attribute of the barCode input and allow himself to enter a different one? The BarCode field is not the primary key in the table but it must be unique. I use the GiftCardId field to identify the record. But then, what's to stop the user from changing the GiftCardId as well when submitting the form? How can this be controlled?
Upvotes: 1
Views: 1487
Answers (2)
Reputation: 5761
I understand this to be a security-related question: ie. can the user hack the form to do something with it that you didn't intend.
The answer is yes, a user can use tools like Firebug to interfere with the markup, thereby changing the readonly attribute.
You don't show how the GiftCardId is collected from the user. Assuming it is collected and validatated in a previous view / action method, a more secure approach would be to redirect to a different view depending on whether the GiftCardId is valid / new or not.
Edit after comments
A couple of suggestions.
- Store the GiftCardId in session state rather than send it to the browser.
- Use a one-way hashing function to generate a token from the GiftCardId and send it to the browser in a hidden field. Rehash the GiftCardId that is posted back and check that it matches the original hash. See this short article on creating an MD5 hash.
Upvotes: 2
Reputation: 2660
simple answer is "Yes", all request can be forged, that's why you should never trust user inputs and validate the user inputs on the server side.
What you can do really depends on what you needs and the implication of the GiftCardId been modified. Things you could do in addition to the server side validation,
1. hide the field instead of making it visible
2. encrypt the GiftCardId
Upvotes: 0
Related Questions
- How do I make an html text input readonly but be able to update with a script?
- MVC textbox readonly not working
- How to use "readonly = true attribute on @Html.TextBoxFor"
- Can I set text box to readonly when using Html.TextBoxFor?
- How to create a read-only textbox in ASP.NET MVC4 Razor
- update Html.TextBoxFor "readonly" attribute on and off
- How do I make an Html.TextBox either read-only or invisible?
- Read only textbox @Html
- How to make textbox readOnly
- asp:textbox readonly