Reputation: 786
PHP Forms - Make forms more secure when editing data
Let's say I have a website where the user can edit his profile.
<form action="profile-processor.php?action=edit&id=888" method="POST">
<input type="text" name="name"/>
<input type="submit"/>
</form>
And profile-processor.php contains:
if(!empty($_GET["action"])) {
if($_GET["action"] == "edit") {
$query = "UPDATE TABLE users SET name = ".$_POST["name"]." WHERE id = ".$_GET["id"];
... ... ...
}
}
What if someone that has nothing to do with this web application creates an HTML form, and in the action he puts "profile-processor.php?action=edit&id=xx" and sends the data? Will it edit like if it was sent from it's own website?
What can you do to hide the action or at least critical details like
<form action="process.php?action=SOMETHING_I_DONT_WANT_YOU_TO_SEE&id=THE_ID_YOU_SHOULD_NOT_KNOW">
</form>
I'm creating a web application that hast a lot of forms that will edit database information, I just want to make sure I have some critical security.
EDIT:::::::
I know how to use PDO and Prepared Statements perfectly, this question is more about the client-side stuff sending information to the Server side controller.
Upvotes: 1
Views: 601
Answers (3)
Reputation: 1743
First, if your user is editing his profile then he is logged in, right? So why are you allowing the id to be passed in at all? You already know the user id, most likely from the session. The only data you need from the form in this example is the information to update.
Second, your query as posted is vulnerable to SQL injection. There are tons of questions on SO to show how to fix that.
Last, to address other answers, while you should use POST data when modifying something, it is in no way more secure than GET.
Upvotes: 1
Reputation: 1963
The best way that i have found is to use the session variables, create a random token for each user and verify if the user is realy loged in
Another way is to generate a random code and send it on a hidden field
<form action="profile-processor.php?action=edit&id=888">
<input type="text" name="name"/>
<input type="submit"/>
<input type="hidden" name="token" value="{generate random number here}" />
</form>
Then verify that the token realy exists inside process.php
Upvotes: 1
Related Questions
- How to securely edit information in a database from a user form PHP
- How do I secure PHP forms?
- Drupal - Protect form data from tampering
- Protecting a form from being manipulated
- How to improve form security
- Basic form security
- How to add security to a php form
- Add data to a form, server side
- How to secure my html+PHP forms to prevent user hacking/changes
- PHP secure form