php - Input form with hidden field how to secure it -


after knew how secure upload image bypassing forms input fields upload unwanted files give example of 2 filed, 1 of them hidden.

sql table (id,name,jod,number)

create table `users` (   `id` bigint(20) unsigned not null auto_increment,   `name` varchar(255) default '0',   `job` varchar(255) default null,   `number` varchar(255) default null ) engine=myisam default charset=utf8;

form code (support member edit own informations)

<form action="send.php" method="post" name="send" id="send">  <input type="text" name="name" id="name" value="john"/>  <input type="text" name="job" id="job" value="plumber"/>  <input type=hidden name="number" id="number" value="1234"/>  <input type="submit" name="submit" value="submit"/> </form>

later there firefox extension can bypassing different input server-side bypassing checking , might case lot of damage here can stop whole process , makes able edit value of hidden table number such value="1" causing update information member have value number 1.

enter image description here

that extension working following, can fake input data before passed server side.

enter image description here

php code send.php

if(isset($_post['send'])){    $name   = mysql_real_escape_string($_post[name]); $job    = mysql_real_escape_string($_post[job]); $number = mysql_real_escape_string($_post[number]);  $sql= "update users set name='$name',job='$job' number='$number'";        mysql_query($sql) or die("query failed: $sql".mysql_error());  echo "update done";  } else {  echo "nothing update"; }

the question how protect simple form such input form ? ~ thanks

this problems hurts cause made website free hacked :)

if user authorization not option in cause, try following techniques:

  • set hidden field hash of number salted other information
  • set hidden field number encrypted (possible salt increase security here also)

of course add steps when sending form html , validating post information, @ least harder attacker fake valid number on post. although not save if attacker knows encrypted/hashed number of different user unless salted information withing hidden field used wisely.


-

Comments

Post a Comment

Popular posts from this blog

angular - Is it possible to get native element for formControl? -

i've got angular2 reactive form . created formcontrol s , assigned input fields by [formcontrol]=... . understand creates nativeelement <-> formcontrol link. my question: possible nativeelement formcontrol ? wanna myformcontrol.nativeelement.focus() i can share 1 terrible solution works me. in reactive forms can use either 1) formcontroldirective ts mycontrol = new formcontrol('') template <input type="text" [formcontrol]="mycontrol"> or 2) formcontrolname ts myform: formgroup; constructor(private fb: formbuilder) {} ngoninit() { this.myform = this.fb.group({ foo: '' }); } template <form [formgroup]="myform"> <input type="text" formcontrolname="foo"> </form> so these directives write patch like 1) formcontroldirective const originformcontrolngonchanges = formcontroldirective.prototype.ngonchanges; formcontroldirective.proto
Read more

unity3d - Rotate an object to face an opposite direction -

i have object , b. when click on object b, rotates object b (a faces b). b doesn't face a. need following : when faces b, need face opposite direction. have code rotating @ b. how rotate face opposite direction after that? vector3 targetdirection = target - transform.position; float step = speed * time.deltatime; vector3 newdirection = vector3.rotatetowards (turretdome.transform.forward, targetdirection, step, 0.0f); turretdome.transform.rotation = quaternion.lookrotation (newdirection); you object facing object b, want inverse direction of object after that? objecta.transform.rotation = quaternion.inverse(objecta.transform.rotation) but lets assume example turretdome object a, (negate direction): turretdome.transform.rotation = quaternion.lookrotation (-newdirection); naturally, both of these snippets not show how smoothen rotation, seem know how use time.deltatime. just incase unsure, quaternion.lerp this
Read more

javascript - Why jQuery Select box change event is now working? -

i working on product filters user select select box according his/her preference not getting selected value user in jquery. html code:- <select name="product_filter" id="product_filter"> <option value="price_low_first">price : low high</option> <option value="price_high_first">price : high low</option> <option value="latest">latest</option> <option value="popular">most popular</option> </select> jquery code: $(function () { $("#product_filter").change(function () { alert("hi") var selectedtext = $(this).find("option:selected").text(); var selectedvalue = $(this).val(); alert("selected text: " + selectedtext + " value: " + selectedvalue); }); }); hi believe code perfect. once please check jquery.min.js
Read more