How to check if a hidden input has been tampered with?

Navigation
1

How can I check the manipulation of a input of type hidden passing as value a id ?

Code: 

<input name="id" id="id" type="hidden" value="$id" />
    
asked by José Guevara 09.11.2017 в 20:26
source

3 answers

1

For an update form I keep the ID in a hidden and in another hidden the same ID but hasheado, then when it comes to update the content it throws error if the ID and the hash do not match when doing the verification from my php ( before the update statement) ... 

$id = $row['id'];
$hash = hash('crc32b', $row['id']);

and before going through the part of the SQL I do a hasheo again of the $ id to compare with $ hash, if they match it already passes to the SQL, otherwise, I erase the whole form and make it appear a div with a message of "Token Not Valid"

    
answered by 09.11.2017 в 20:47
0

What you can do is add these attributes to the body tag, everything and that is not 100% effective. 

<body oncontextmenu="return false" onkeydown="return false">

This what it does is block the right click of the mouse on your page.

    
answered by 09.11.2017 в 20:54
0

Suppose the $id you get by GET or SESSION in your input of type hidden .

You could create a hash of said id and include it by input of type hidden , and then with hash_equals you could check if it matches the value obtained by GET .

Id obtained by GET 

//Supongamos que obtienes el ID por GET.
if (filter_var($_GET['id'], FILTER_VALIDATE_INT)) {       
   $id = $_GET['id'];       
   $hash_id = hash('ripemd160', $id);
}

filter_var , filter a variable with the indicated filter.

Control form 

//Reseteo variables inputs.
$id_frm = $hash_frm = NULL;

//Comprobamos que esta definido el formulario
if (isset($_POST['submit'])) {

    //Obtenemos datos formulario.
    $id_frm = $_POST['id']; 
    $hash_frm = $_POST['hash_id'];//Id haseado obtenido desde formulario.

    //Verdadero datos formulario
    if ($id_frm && $hash_frm) { 

        //Haseamos ID obtenido por Get para comprobación.
        $get_id =   hash('ripemd160', $_GET['id']);

        //Comprobamos que los Hash coinciden.
        if (hash_equals($get_id, $hash_frm)) {  
            //Continuas...
            //Actualizas tus datos en Base de Datos mediante su ID.
            //echo 'El HASH esta correcto';
        } else {
            echo "El HASH no coincide.";
        }       

    }

}

Possible form: 

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  
    <!-- Añades tus inputs a actualizar. -->    
    <input type="hidden" name="id" value="<?php echo $id; ?>" />
    <input type="hidden" name="hash_id" value="<?php echo $hash_id; ?>" />
    <input type="submit" name="submit" value="Actualizar" />
</form>
    
answered by 10.11.2017 в 21:30
Condition sums of a select Between with null fields