Reputation: 51
How to improve form security
Many forms on my site are done like this:
<form action="filename.php?id=10">
But I'v just realised the user can edit this variable (id) in the action. This would be major security breaches. How can I prevent this?? Or what is a better way to pass through a variable.
Would putting a hidden input work?
<input type="text" hidden value="1" name="id">
What would be a better way to pass through a variable? Or a way that the user cannot change a value.
Upvotes: 1
Views: 184
Answers (3)
Reputation: 438
There is no way to secure a form using HTML or any other client-side markup/scripting language. The key word here is client-side. Anything client-side (HTML, CSS, Javascript) can be manipulated by the user. There is NO way to secure data client-side. That does, however, leave you with server-side.
It is only on the server-side that security can be ensured. You send the data to a server where it is processed. You can use PHP, nodeJS, Ruby, or whatever you want to verify the information. This tutorial gives you a great guide to getting started with validation using PHP (a server-side programming language).
For your specific case, you would want to write some PHP code that says if the ID is not valid (however you choose to determine that), then throw the user an error and don't accept the input. PHP and other server-side programming languages are wonderful if you can learn to utilize them properly.
Upvotes: 1
Reputation: 3469
The form itself once it's in the users browser can be modified freely by users. There is absolutely nothing you can do about that. To secure it, your logic in your server-side code that processes the form needs to have relevent security checks, checking that the logged in user actually is allowed to work with the objects that their submitted form data says they're trying to work with.
Upvotes: 0
Reputation: 2359
There is no way to make a generic form more secure. The security part comes when you process the users data.
Actually, technically there are a couple of ways, that will at least slow a brute force attack.
That is to store the users session the first time they see it. If you notice same IP keeps on, you can block them for a duration of time. This would need a database table, and some additional code. This would be overkill in most instances.
Upvotes: 0
Related Questions
- How do I secure PHP forms?
- How to protect form data on my site?
- PHP Forms - Make forms more secure when editing data
- Basic form security
- How to add security to a php form
- How to secure my html+PHP forms to prevent user hacking/changes
- making form processing script more secure
- Form Security & PHP?
- How to secure this PHP form
- PHP secure form