I have an admin page that lists a bunch of records and each record has a checkbox next to it to set it to an "active" status. Each checkbox has a value on it that is tied to the ID of the record in the database. If somebody used FireBug they could easily change the checkbox's value to a different number thus effecting the wrong record in the database.
I'm not extremely worried about this happening because its just an admin page that will just have one user and I'm sure he doesn't know anything about FireBug.. but was just curious incase I run into this problem in the future on a more public-facing page.
Here's the code I currently have just so you can get an idea of what I'm doing.
The HTML + PHP..
<input type="checkbox" class="active" name="active<?php echo $id; ?>" id="active<?php echo $id; ?>" <?php if ($active == 1): ?>checked="checked"<?php endif; ?> value="<?php echo $id; ?>">
jQuery ajax..
$("input.active").click(function() {
var loader = $(this).prev().prev();
$(loader).css("visibility","visible");
// store the values from the form checkbox box, then send via ajax below
var check_active = $(this).is(':checked') ? 1 : 0;
var check_id = $(this).attr('value');
console.log(check_active);
console.log(check_id);
$.ajax({
type: "POST",
url: "active.php",
data: {id: check_id, active: check_active},
success: function(){
$(loader).css("visibility","hidden");
}
});
return true;
});
Here is active.php..
<?php
include("dbinfo.php");
mysql_connect($server,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$active = mysql_real_escape_string($_POST['active']);
$id = mysql_real_escape_string($_POST['id']);
$addEntry = "UPDATE entries SET active = '$active' WHERE id = '$id'";
mysql_query($addEntry) or die(mysql_error());
mysql_close();
?>
You should be setting a $_SESSION value with their account information in it so if they try to access an account that isn't there's you can catch it and flag it appropriately. Just the ID number of their account probably would be sufficient. You definitely should not be putting this in hidden fields or anywhere where the user can change it.
You can't.
firebug has full control over the HTML.
But your not worried about HTML, your actually worried that the user will do something funky in active.php, which is exactly where you should add more protection.
If an admin has the right to edit the active state of entries, then he should be able to edit any entry he wants in any way that you will allow it.
The security issue that you describe where some malicious admin can change the id in the HTML and have the wrong record change the active state is nothing compared to an even more malicious user that can send a post request to your active.php page just like your ajax script does, but using his server, effectively having access to change any active state on any entry.
What you should do is to perform some kind of authentication on the active.php
Be it using SESSIONS or HTTP
来源:https://stackoverflow.com/questions/11157749/prevent-user-from-editing-checkbox-value-with-something-like-firebug