Best ways to secure form data from malicious users wielding Firebug?

I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.

What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?

I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.

Answers


You can't use jQuery for security since it's all handled on the client side.

In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.

Using sessions would look something like the following:

login page

<form action="login.php" method="post">
  <input type="text" name="username">
  <input type="password" name="password">
  <input type="submit" name="submit" value="submit">
</form>

login.php

// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();

//Always sanitize the user input before doing any db actions.

//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).

// check user credentials against db

$_SESSION['user'] = $dbresult['username'];

page-where-userid-is-required.php

session_start();

if (!isset($_SESSION['user'])) {
    // user is not logged in!
} else {
    // use user info to place order for example
}

The session will be active until the user closes his browser / until the session expires (which is a PHP setting)

The above is just some sample code to give you an idea.

It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )

But that's just a whole other story :)


Here are a few basic suggestions:

  • You need to validate form inputs using a server-side (PHP) script.

  • Instead of relying on sensitive pieces of information, such as member ID, from the form you could instead cache such data in your server session. That way there is no way for a malicious user to change the data on the fly.

You can still use jQuery validation as a convenience to catch basic input problems, but you can only trust data that is validated using server-side code.


Need Your Help

How does a JDBC driver implementation work?

jdbc driver

A JDBC driver implementation provides the low level details that allows a client to communicate with a third party datababase. I am just curious what it is doing behind the scenes. Communication be...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.