Lets imagine for where are inputs like:
<input name="x" />
<input name="y" />
<input name="z" />
Can there be any harm if user manually, for example, by using FireBug creates more inputs with different names?
I’m asking this because my team yesterday created a rule that you need to manually filter $_POST array (for example) to be sure that there are only expected keys in it. I, personally, don’t see any harm if there would be extra keys like foo and bar. They would be ignored, right?
Also, we are using Kohana 3.0 and its ORM. Maybe that’s the whole point? Maybe ORM would react different for extra, unneeded keys and, maybe, update unexpected columns in database if ‘hacker’ guesses the ‘wrong’ key (so column as well)?
What do you think?
This is a problem in some frameworks like Ruby on Rails and ASP.NET MVC, where it can occur as mass assignment.
Consider a user account model where you have username, password, email and then a boolean flag for whether or not the user is admin.
You build a form for allowing self-registration, and because you of course don’t want users to allow themself to become admin, you include only the three first fields in your form. However in these frameworks (unless you disable it), any form field with a specific name (regardless of whether or not they came from the actual form) would be assigned. So if the attacker added a field called something like user[admin]=1, that might be assigned by the “magic” backend, and actually have an effect on the data, even though you never explicitely handled that variable.