CODEWITHSUNDEEP
phphtmlmysqlsecuritydeveloper-tools
James
James

Reputation: 546

Editing HTML then posting via PHP

I have a scenario. Let's say someone is on my website and there is a form which adds an event for example and there is a field as follows:

<input type="text" name="title" id="title">

Let's say that person used F12 developer tools and changes the id="title" to id="whatever", or even remove the id attribute, then how would I make my PHP script stop running so that nothing is posted to MySQL?

Here's an example for a Bookmarks feature I have: (front-end form)

<form action="bookmarks.php" method="post" enctype="multipart/form-data">
  <div class="control-group">
    <label class="control-label" for="input-mini">Title*</label>
    <div class="controls">
       <input class="span12" id="title" name="title" type="text" placeholder="e.g. Oliver's pet cat...">
    </div>
  </div><!-- /control-group -->
  <div class="control-group">
    <label class="control-label" for="input-mini">Link*</label>
    <div class="controls">
       <input class="span12" id="link" name="link" type="text" placeholder="e.g. http://boopeo.com">
       <input type="hidden" name="parse_var" id="parse_var" value="addbookmark" />
       <br /><input name="submit" type="submit" class="btn btn-success span12" value="Bookmark" /></form>

Back-end PHP:

if (isset($_POST['parse_var'])){
             $parser = $_POST['parse_var'];
             $parser = htmlspecialchars($parser);
    if ($parser == "addbookmark"){


             $title = $_POST['title'];
             $title = htmlspecialchars($title);
             $linkurl = $_POST['link'];
             $linkurl = htmlspecialchars($linkurl);

    $sqlrecentmark = $db->query("SELECT link_url FROM tablenamehere WHERE mem_id='$id' ORDER BY id DESC LIMIT 20");
    while($row = $sqlrecentmark->fetch(PDO::FETCH_ASSOC)) {
      $recent_link = $row["link_url"]; 
    }

    if ( $linkurl != $recent_link ){
         $dataact = array( 'mem_id' => $id, 'title' => $title, 'link_url' => $linkurl );  

    $sqlactivity = $db->prepare("INSERT INTO tablenamehere (mem_id, title, link_url) value (:mem_id, :title, :link_url)");  
    $sqlactivity->execute($dataact);
    } else {
        $not_msg = '<br /><br /><div class="alert alert-error">Oops! You have added that bookmark before. Just look and you shall find!</div>';
    }
    }
    }

Upvotes: 0

Views: 96

Answers (2)

Nick Rolando
Nick Rolando

Reputation: 26167

The id of input field doesn't get passed as posted data, so there's no way to tell in the back-end php code. Maybe you're talking about the name attribute.

<input type="text" name="theTitle" id="aTitle">

In my above example, the input field will be posted as $_POST["theTitle"]

You could use javascript to check these elements before the form is submitted, but if you're worried about the user manipulating the DOM, that probably won't help much.

After reading your concern about the Undefined index error, you simply need to check if the variable is set before you use it:

if(isset($_POST["title"])) {
  $title = $_POST['title'];
} else {
  //output error
}

Upvotes: 1

Adam Ashwal
Adam Ashwal

Reputation: 1472

Never trust data from the user. Always sanitize and validate. You are using prepared statements which is good, so you'll be mostly protected from injection. The other thing you'll want to do is determine if the data the user has sent you matches up with what you were expecting, if it does then proceed to use it with the database. (Which you are for the most part doing, so in all honesty there should be no bad effects from a malicious user)

Upvotes: 1

Related Questions