Secure solution to hidden forms_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-01-30 07:10 出处：网络

I have this code: <? if ($cur_post[\'poster_id\'] == $forum_user[\'id\']) { ?> <div class=\"txt-box textarea required\">

相关专题：php

I have this code:



<? if ($cur_post['poster_id'] == $forum_user['id']) { ?>
  <div class="txt-box textarea required">
  <label for="fld<?php echo ++ $forum_page['fld_count'] ?>"><span><?php echo $lang_post['Write message'] ?>  <em><?php echo $lang_common['Required'] ?></em></span></label>
  <div class="txt-input"><span class="fld-input"><textarea id="fld<?php echo $forum_page['fld_count'] ?>" name="req_message" rows="14" cols="95"><开发者_如何学运维;?php echo forum_htmlencode(isset($_POST['req_message']) ? $message : $cur_post['message']) ?></textarea></span></div>
 </div>
</div>
  <? }
else { ?>

<? } ?>

I need a more secure solution to hidden forms, because currently with this code when I press submit (as an admin) it says I must enter a value for the written message. I can bypass this using hidden forms under the ELSE bit - but people with any knowledge can just bypass this using Inspect Element or Firebug and then post that value.

I need a more secure solution to this, so that people cannot edit Hidden forms. Do I post the old variable somehow to the form?

It's for a PunBB page (edit.php): http://punbb.informer.com/svn/punbb/tags/punbb-1.3.3/edit.php (original).

Thanks

This is always an interesting problem.

I suggest storing private data in the users $_SESSION with an index unique to the form + page call. I just came into a similar problem at work where I was starting to pass way too much private data through hidden form fields. Now I simply pass a unique id which I use to index the specific private form data in the session.

It's not a 100% solution. Storing the data in the session rather than in the form means a stale form can timeout (ie if the session is killed/timed out), but it's a worth while trade off I think.

I'm not entirely sure I understand the question. Are you trying to control how the form renders, or trying to figure out how to add 'sensitive' data the a form?

First, if you're worried about what parts of the form are being rendered on the page, anything in the else clause would only render if the conditions in the if clause were not true. The else is not 'hiding' part of the form.

Second, there is no such thing as a 'secure' client-side form. Generally speaking, you cannot control what data is submitted to your application, and anyone can submit any POST or GET data they want. Instead you have to handle it on the server-side by properly filtering to ensure that a user has the proper authorization to do what they're trying to do. It sounds like you need to require the user to identify as an admin when the form is processed (most likely through session data).