Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts

    Arrow How can I improve the security of this?

    I'm not sure if there's really a way to make this more secure - but, this is what I have...

    I have a form with a hidden field that retrieves a hashed user ID from a session, and then inserts that info into the hidden form field.

    How can I make sure that a user doesn't change this info when submitting the form?

    I'm guessing that it's impossible to guard against, since it's a hidden form field and a user could simply change either the session info or just the hidden form field data.

    Any ideas on how to make this more secure?

    Thanks!

  • #2
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    What exactly are you trying to do with the form field?

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Why pass the value along if you're already tracking it in a session?
    The answer is you can't, any values passed through a form are given to us from a client, so you need to validate everything yourself.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #4
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    I have a registration page that takes the user to a payment page after successfully signing up.

    When the user first registers, a random hashed user ID is generated for that user and then inserted into my database and into a session.

    On the payment page, the user ID from the session is inserted into a hidden form field. This user ID is submitted to PayPal when the user makes their first payment. PayPal needs a custom user ID to update my records using the PayPal IPN.

  • #5
    Regular Coder
    Join Date
    Dec 2009
    Location
    UK
    Posts
    495
    Thanks
    0
    Thanked 58 Times in 58 Posts
    In that case, I'd leave it as it is. If any user tries to tamper with the data it won't let them use the service even if they have paid, so it will be them that is losing out not you
    My site: JayGilford.com
    Resources:
    PHP Pagination Class | Getting all page links | Handling PHP Errors properly
    If you like a users help, show your appreciation with the rep and thanks buttons :)

  • #6
    Senior Coder
    Join Date
    May 2006
    Posts
    1,683
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Nice reply Jay.

    haha

    In fact, if the op has their email, he can send them an email
    asking them to play with the data again, maybe a few times ;-)
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #7
    Regular Coder
    Join Date
    Dec 2009
    Location
    UK
    Posts
    495
    Thanks
    0
    Thanked 58 Times in 58 Posts
    yeah
    My site: JayGilford.com
    Resources:
    PHP Pagination Class | Getting all page links | Handling PHP Errors properly
    If you like a users help, show your appreciation with the rep and thanks buttons :)

  • #8
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Thanks for the help!

    I hash the e-mail address from the registration page with a random salt, using SHA-1. Then I use that hash as the user ID for each user in the database.

    So, I'm guessing it would be fairly hard for a malicious user to generate a hash (user ID) for an existing user anyways, right?

    I was even thinking of using SHA-512, but that's probably taking it too far.

  • #9
    Regular Coder
    Join Date
    Dec 2009
    Location
    UK
    Posts
    495
    Thanks
    0
    Thanked 58 Times in 58 Posts
    I see no reason why you shouldn't use SHA512
    My site: JayGilford.com
    Resources:
    PHP Pagination Class | Getting all page links | Handling PHP Errors properly
    If you like a users help, show your appreciation with the rep and thanks buttons :)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •