Preventing hacking if users change html/javascript vars?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
newbie_to_php
Forum Newbie
Posts: 2
Joined: Sun Nov 24, 2013 5:06 am

Preventing hacking if users change html/javascript vars?

Post by newbie_to_php »

Considering the below example:
HTML Page :

<input type="text" name="update_12" />
An input box with name as "update_12" and new text as : "Some another data" is sent via form to the serverside PHP script (say process.php)

Database format:

=====================
message_ID Message
=====================
12 Some data
13 Another data
If PHP script does an explode on the input name as:

Code: Select all

foreach ($_POST as $key => $value) {
    if(strstr($key, "update_")){
        $required_id = explode('_',$key)[1];
        $query = "UPDATE <db_name> SET `Message`='".$_POST[$key]."' WHERE `message_id`='".$required_id."'";
    }
}
This updates the DB with the new message for message_ID : 12

I am new to PHP and exploring basic data storage, update, retrieval and deletions in MySQL.

Since the client can change the name of the input field :"name" and send another value to update. For example: If a client opens up firebug and changes the "name" field of input box to "update_13", his operation is going to overwrite Message of another user.

I tried researching for this by trying out a status deletion in facebook. From primary observation of the POST data for deletion I could see some important parameters being sent for deletion as :

impression_id=456ab622
profile_id=100005552221116
__user=100005552221116
story_fbid=540912345678911

For a post deletion, the associated ID looks like : story_fbid. When i changed this to may be : 540912345678912 (last digit changed) And clicked on delete, fb takes a while and responds with an error message saying : This operation cannot be done. This error message appears after the POST request to delete has been sent (with modified story_fbid). The response for the POST request contains the error message which is shown in a modal window.

I can think of a way wherein the ID and its hash (MD5/SHA1/SHA2) are stored in DB and upon receipt of id, get a hash of it and if it matches any, update that row in DB. However there are chances that (in our case) hash of 13 might match any other row and hence perform an update operation.

Can you suggest any other secure ways in which we can validate that client has not changed the values?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Preventing hacking if users change html/javascript vars?

Post by requinix »

It depends on the situation and how you want to deal with invalid input. The short, generic answer is that you determine what the input variables should have been and compare that against what you actually received.
newbie_to_php
Forum Newbie
Posts: 2
Joined: Sun Nov 24, 2013 5:06 am

Re: Preventing hacking if users change html/javascript vars?

Post by newbie_to_php »

A simple case to illustrate the issue ;
Say I have a div :
<div id="image_11">Delete</div>
<div id="image_12">Delete</div>
<div id="image_13">Delete</div>
On click of any of the delete DIV's, using jquery I determine the ID of the clicked DIV and send it to the PHP script using an AJAX call.
Now the PHP script tries to parse the string "image_ID" and fetches only the part after the underscore.
Now a MySQL query to delete a row with that ID is performed.

Under this case, if the user changes the "image_11" to "image_13" and clicks on Delete that belongs to image_11,
row with the ID:13 will be deleted which is not the expected behavior.
So using any hashing or UUID or any other method, is there any way to detect this and throw back an error message?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Preventing hacking if users change html/javascript vars?

Post by requinix »

There's no way for you to know in your PHP because image_13 was also a valid option for the user. As far as you can tell they clicked the image_13 button instead of the image_11 button. And that's okay - it really doesn't matter.

Now, if they changed it to image_14 and they're not allowed to delete image_14, that's where you have to care. To prepare for that situation, pull down the information for image #14 and check if the user is allowed to delete it (eg, they are the owner of that image). If so then it's the image_11/13 thing all over again and it doesn't matter, but if not then you can take some sort of action: maybe present an error message (which I don't like), or maybe ignore that action and continue on, which could end up resulting in no actions taken at all (which I do like).
boby123
Forum Newbie
Posts: 1
Joined: Sat Jan 25, 2014 1:55 am

Re: Preventing hacking if users change html/javascript vars?

Post by boby123 »

For a post deletion, the associated ID looks like : story_fbid. When i changed this to may be : 540912345678912 (last digit changed) And clicked on delete, fb takes a while and responds with an error message saying : This operation cannot be done. This error message appears after the POST request to delete has been sent (with modified story_fbid). The response for the POST request contains the error message which is shown in a modal window.
Post Reply