Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have the following code
<textarea class="input" id="input" onkeypress="ifenter(event,'<?php echo $id ?>"></textarea>
Obviously in this case the $id is vulnerable and anyone using simply firebug can alter the $id and send an different variable. How should I act here? I’m stuck and no ideas come to mind at the moment.
Should I hash it? And if I do that, how can I unhash it? By encrypting it using an algorithm, it would be hackable don’t you think?
You need to sign this ID with a secret. Lets say that you have an ID
$idand a secret known only by the server$secret, then instead of putting only<?php echo $id ?>you would put:Where
hash()is some hash function, like MD5 or SHA-1. Then, you can check on the server if by concatenating the ID and the secret you get the same hash. If yes, everything is fine, if no, somebody has changed the ID.This is the simplest way. There are already some better (harder to crack) solutions, like HMAC.
Edit: Also, depending on what this ID is, you should consider if you’re doing the right thing. If it’s a user ID, you could use sessions instead, if it’s some other resource ID, you should instead check if the logged in user has permissions to modify this resource.