Handling form security

Hi all,

I am again asking for an aproach but simpler :slight_smile:

So how do you maintain the form security ? For instance you have a member and he/she tries to change the personal settings and you redirected member to


member changed the values and post the data to another page by changing the action with firebug or something else.

How do you handle this problem ?


Always fully validate the data on the page that is processing the data from the form to make sure that all fields contain what you expect.

You can also establish a session and pass a session variable between the pages to confirm that the page passing the info is the right form.

Well, in your example, your URL would actually be /member/change . The ID you require would come from the current users ‘session’, so would be impossible to change.

If however, the current user is actually an admin, the ID would indeed need to be specified but they would have the right to alter any user anyway.7

Additionally, if you require a more fine-grained mechanism, you could look into ACLs.

    #do stuff

As with the session solution I reread my question and found out what I miss.

For instance the user has unlimited number of sub pages and again user want to change the content of that page, without using session (by session I mean, saving the page id to session) how can I achieve to protect another page to be changed ?

Actually I am looking for an independent security approach like I put a hashed string to a hidden and try to check that but I dont wthat hash dependent on things that can be guessed.

Is it possible ?

In which case, you need to generate a hash which is reproduciable on a subsequent request but unique to both the current user and relevant ‘page’.

$hash = sha1(
        $this->user->get('id'),             #users id
        $this->user->get('browser'),        #users browser
        $this->page->get('slug'),           #unique element for page /members/edit/4 for example
        $this->config->get('security.key')  #a secret key known only to the application

This is actually what I was looking for thank you very much Anthony :slight_smile: and also to you felgall. By this hashing method we can generalize the checking mechanism and create a generic security tool.

Thanks again :slight_smile:

There are two ways around that you can do it.

You can generate the hash from user info as Anthony suggests or you could generate a random hash and then store it in the database with the user data and then compare the one from the session data against the one stored directly in the database rather than rebuilding the hash based on the info in the database.