Handling form security

Yakari · April 10, 2010, 9:28pm

Hi all,

I am again asking for an aproach but simpler

So how do you maintain the form security ? For instance you have a member and he/she tries to change the personal settings and you redirected member to

www.domain.com/member/change/member_id

member changed the values and post the data to another page by changing the action with firebug or something else.

How do you handle this problem ?

Thanks

felgall · April 10, 2010, 9:34pm

Always fully validate the data on the page that is processing the data from the form to make sure that all fields contain what you expect.

You can also establish a session and pass a session variable between the pages to confirm that the page passing the info is the right form.

AnthonySterling · April 10, 2010, 9:37pm

Well, in your example, your URL would actually be /member/change . The ID you require would come from the current users ‘session’, so would be impossible to change.

If however, the current user is actually an admin, the ID would indeed need to be specified but they would have the right to alter any user anyway.7

Additionally, if you require a more fine-grained mechanism, you could look into ACLs.


<?php
if($this->user->can('alter.member.information')){
    #do stuff
}
?>

Yakari · April 10, 2010, 9:56pm

As with the session solution I reread my question and found out what I miss.

For instance the user has unlimited number of sub pages and again user want to change the content of that page, without using session (by session I mean, saving the page id to session) how can I achieve to protect another page to be changed ?

Actually I am looking for an independent security approach like I put a hashed string to a hidden and try to check that but I dont wthat hash dependent on things that can be guessed.

Is it possible ?

AnthonySterling · April 10, 2010, 10:04pm

In which case, you need to generate a hash which is reproduciable on a subsequent request but unique to both the current user and relevant ‘page’.


$hash = sha1(
    sprintf(
        '&#37;d-%s-%s-%s',
        $this->user->get('id'),             #users id
        $this->user->get('browser'),        #users browser
        $this->page->get('slug'),           #unique element for page /members/edit/4 for example
        $this->config->get('security.key')  #a secret key known only to the application
    )
);

Yakari · April 10, 2010, 10:08pm

This is actually what I was looking for thank you very much Anthony and also to you felgall. By this hashing method we can generalize the checking mechanism and create a generic security tool.

Thanks again

felgall · April 11, 2010, 1:36am

There are two ways around that you can do it.

You can generate the hash from user info as Anthony suggests or you could generate a random hash and then store it in the database with the user data and then compare the one from the session data against the one stored directly in the database rather than rebuilding the hash based on the info in the database.