What if user change form value in Developer Tools and submit form?

I’ve a simple form of select menu, with different options which are loaded dynamically and have different value associated with them.

<select name = 'city'>
  <option value='dynamically_loaded_value'>Belgaum</option>
  <option value='dynamically_loaded_value'>Hubli</option>
  <option value='dynamically_loaded_value'>Dharwad</option>
</select>

The dynamically_loaded_value is critical in my case because when user selects an option and submits form, based on selected option, using the selected option’s value I’m going to do some operation.

So if, user changes the dynamically_loaded_value in the Chrome Developer Tools any other, and submits form then? Of course, it’ll cause error in processing further. How can I prevent this?

I’m using PHP for server-side.

You’re going to need to validate & clean all user inputted information. It sounds like you have a collection of expected values to receive, you could perform a strict match against all entries for each match.

$userSubmittedValues = array(
    "one",
    "two",
    "three"
);

$expectedSubmittedValues = array(
   // However many values you expect in total
}

// This should end up matching count($userSubmittedValue) after loop matching below
$count = 0;

// For each submitted value by user
foreach ( $userSubmittedValues as $value ) {

   // Match with all expected values to be submitted
   foreach( $expectedSubmittedValues as $expect ) {

      // If a match is found among the array, increase match count
      if( $value === $expect ) {
         $count++;
      }
   }
}

// If match failed, end script
if( $count < 3 ) {
    die("Some values failed to match");
}

This is only an example of how you can match expected values. You still need to clean all values stripping script injection and invalid characters.

1 Like

The example from @Emgo should work and it sounds like you already have the dynamic data in an array as that is what you are building your dropdown form from.

You could also check if the data received has characters like > < | etc. as they are unlikely to appear in a city name then stop the code and throw an error.

You can also check where the form was submitted from ( will need to search the web as I can not remember how it works ) but I do not know how good this is but every little bit of security helps.

1 Like

An what if the user changes, form type = 'POST' to type = 'GET' and submit form? Should I check for both GET and POST methods in PHP to access values?

If you have an array of valid vaules, you can use in_array() like I show in this post.

1 Like

Nope. That way lies madness. It is trivial for an end user to send whatever they want back to the server. Trying to anticipate all the different ways they might try to mess with your site is really an exercise in futility.

Instead, pick one legitimate way to access a resource and then lock it down. So if POST is your method of choice then ignore GET requests and perhaps log a message indicating someone is trying to hack you.

And just to repeat what has already been said about your original post concerning valid cities, always check the posted city against your list of valid cities and ignore if an invalid one comes along.

5 Likes

I’ve noticed that some people have browsers set to restore their browsing session on next start and if there was a page loaded with POST then the browser will try to load it with GET - I see it sometimes in the logs of my web applications. Of course, this is not a hacking attempt but a weird (I think erroneous) behaviour of browsers. So in cases of GET requests to URLs that should be POSTed it’s good to display some error page with a link to go to the home page or perhaps immediately redirect the user to some other (GET) page that will be closest in terms of topic and content to the POST page that couldn’t have been loaded because it was accessed with GET.

One way is to validate user input in PHP like the other posters have already said. But often I use a different method - I let the database check the values. Usually, values from forms are put into database tables and databases have an ability to restrict what can be entered into a field - via foreign keys or check constraints. So I don’t check if the value is correct in PHP, I just send it to the database and if the database responds with an error then a generic error page is displayed to the user - something that is set up for the whole site so I don’t have to deal with it. I just insert the data to the database and don’t care about checking the values in PHP.

When using this method there are some things to pay attention to:

  1. The values sent to the database should be properly escaped or sent via prepared statements - just like anything other kind of data that is sent to the database. But that is a different topic.
  2. When you are saving data to more than one database table it is necessary to use a transaction around all the inserts so that if a user sends a disallowed value and one of the inserts fails - you don’t end up with a partially done task - then the whole operation rolls back and no data end up in the database.
  3. Obviously, when any of the inserts fails the whole application should abort and end up with an error. Overall, I think it’s good practice to abort any time when any of the database queries fail.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.