|
|
Posted by Gordon Burditt on 10/18/76 11:39
>>i'm passing session and hidden variables between pages. not to mention
>>post values.
>>
>>i'm a little concerned that someone with sufficient knowledge could
>>spoof these vlaues and manipulate the program.
>>
>>is this a valid concern? i'm thinking i can check the submitting page
>>setting up something around the following the following code...
>
>Anything that can be seen can be hacked. So for example
><a href="deleteuser.php?id=44">remove your record</a>
>would be a seriously bad idea! Hidden fields are also useless in this
>respect.
I see nothing particularly wrong with:
><a href="deleteuser.php?id=44">remove your record</a>
*IF* you VALIDATE THE REQUEST when it is submitted. (That is, check
that the user has the authority to remove the specific record he
is trying to remove when it is submitted, *AGAIN*, don't just check
when presenting the page with the link on it. If users have the
authority to remove their own records only, mucking with the id=
value will just get the request rejected.) And if you don't
validate the request at the time it is submitted, someone will find
another hole that's just as bad (e.g. guessing someone's "removal
request ticket").
Hidden fields are occasionally useful for protection against
simultaneous editing of a record. A user wants to edit a record.
You give him a form with fields to put changed values, plus hidden
fields with the old values. If, when the request is submitted, the
hidden fields don't match what's in the database, someone edited
the record while this user was making his changes, and you reject
the changes if they appear to conflict. This is much better than
trying to hold a database lock while someone else has an edit page
up and maybe went to lunch or on vacation.
In this situation, if you muck with the hidden fields, your request
is rejected, unless you can guess how someone else has edited that
field after you get the page. There really isn't that much incentive
to hack anyway, since if you can use the form you have the authority
to make changes without any hacking.
Gordon L. Burditt
Navigation:
[Reply to this message]
|