Reputation: 1208
How to prevent an id from being modified?
I have developed a bulletin board from scratch using CodeIgniter, PHP, and PDO for MySQL. Now I'm currently cleaning it up and testing for defects / security flaws. I came across a minor defect that I cannot think of a solid solution for. Users can flood my database with random comments that are not even associated with any forum posts. To better describe this issue let me briefly explain my system.
When you sign in to view a post, the post object along with any related comments via post_id are pulled from the database. You can choose to read the post and leave your own comment. The comment form towards the bottom has a hidden field called pid which stores the id of the current post we are viewing so I can keep the state when you click the submit button. However there is a downfall to this. The hidden field can be modified to whatever integer value before being submitted as you could probably guess.
The URL scheme looks something like when you're viewing a post;
http://www.domain.com/forum/post/22
And after pressing submit, you will be redirected to a URL that looks like;
http://www.domain.com/forum/create_comment
... where the comment information will be inserted into the database along with associated user id and post id.
I tried testing against a referer URL but the case is similar. I've came up with several solutions but I don't know if any of them are idea? Enforcing JavaScript, storing the pid into a session, and/or obsucating the information hidden in the field.
Upvotes: 4
Views: 163
Answers (1)
Reputation: 180065
You can't enforce JavaScript, storing the pid in a session is going to drive anyone with multiple tabs nuts, and obfuscation never works well.
One potential solution is using a salted hash to verify the data. For example:
<input type="hidden" name="pid" value="<?= $pid ?>" />
<input type="hidden" name="pid_hash" value="<?= sha1('this is my salt' . $pid) ?>" />
On submission, you'd reject anything where the hash doesn't fit the pid value. As the salt is never exposed to the user's browser, they should have a difficult time faking it for a non-existent pid.
Upvotes: 5
Related Questions
- Prevent updates to generated primary key column
- Protecting against record ID manipulation
- How to ensure uniqueness of a value in a MySQL DB table in with PHP – a Unique Key use case?
- Preventing duplicate/malicious form input with a unique ID
- PHP - Prevent client from tampering the ID of a form
- Storing Auto-Incremented ID when using PDO for MySQL
- How to prevent multiple updates in a record in php/mysql
- Preventing ID duplication
- How to ensure product IDs from database are not tampered with
- how to prevent from getting wrong ID