CODEWITHSUNDEEP
php
Nick Price
Nick Price

Reputation: 963

inject url param into html form

just wanted to find out the safest way to do something so it is not vulnerable. Say I have a url like www.mysite.com?name=nick

This loads a static html page with a form. One of the forms fields is

<input type="text" id="pName" value="" name="pName" readonly>

What is the best way to get the url param into the value of this input? Basically, I have an app which will be used by several people in different locations. I need a way to identify who is using it, so I thought I could just add their name into the url and then inject this into my form.

Any information appreciated,

UPDATE

Going off the comments, I have added this to the top of index.php

<?php
session_start();
if (!isset($_SESSION['pName'])) {
    $_SESSION['pName'] = $_GET['pName'];
}
?>

And then the input is like so

<input type="text" id="pName" value="<?php $_SESSION['pName'] ?>" name="pName" readonly>

Would this be acceptable?

Upvotes: 2

Views: 1450

Answers (2)

Pratik Joshi
Pratik Joshi

Reputation: 11693

Use session and put $_SESSION['YourSessionVariable'] into textbox.

<?php 
$valueForTextbox = '';
if(isset($_POST['yourSubmitName'])){
   $_SESSION['pName'] =  $valueForTextbox = $_POST['pName'];

}else if(isset($_SESSION['pName'])){
   $valueForTextbox = $_SESSION['pName'];
}
?>



<input type="text" id="pName" value="<?php echo $valueForTextbox;?>" name="pName" readonly>

Why ?

What if I change url GET parameter ? It will be security issue as well..

Also if I have to maintain that data in many pages(say a wizard to complete) And if I delete some parameters from URL, it will create issue.

Query string will be unnecessarily big with GET parameters which can easily saved in sessions.

Edit : When form is Not submitted. Fetch value from Database rather than taking from Query string. And after form submit put value in SESSION. Form posting will keep updating value for that session variable.

Upvotes: 1

thst
thst

Reputation: 4602

If the user is to be defined in the URL, you must check on the server, if the user is authorized.

Since you need to have a safe method to identify the authorized user, the identification happens before the form is called, for example through login.

On login you store the user's name on the server, usually in the session, then you forward him to the form.

If a user tries to call the form for another, not identified user, you will realize this on the server. The form comes back, but the user does not match the username stored in the session.

Now, as you already have the user in the session, the question arises, if you really need the user in the url. Reasons for that could be, that you want more than one form open at a time, or you have authorized access to the form of other users (for example admin access).

Upvotes: 1

Related Questions