Not entirely confident I have understood security in Laravel forms enough. For example, if a form contains
<input type="hidden" name="user_id">
then obviously a hacker could change the value before submitting an update.
While I have looked here at CSRF, I've not fully understood if this is enough protection?
E.g. Taking the above, if I go to a site and open a form to edit a record I'm permitted to view but not change, and maliciously alter the "user_id", is it enough that the form is protected with {{ csrf_field() }} or must I employ some further security such as Crypt::encrypt($id) to hide the user_id (held in a database) and Crypt::decrypt($id)?
Is it considered a bad practice to expose a row id (like a user id) in a client browser (even though everything is sent over https)?
Many Thanks
No, it's not enough to use just CSRF token in this case. You also need to use policies, guards, middleware to protect your app.
In this case, someone can alter the user_id if you read it from the form and use after that, so you need to use a policy like this one to protect data (this example is from the docs):
public function update(User $user, Post $post)
{
return $user->id === $post->user_id;
}
Also, when you need to use user ID, always use auth()->id() or auth()->user() if you need whole object. Never read user ID from the form.
The Laravel framework stores the value of this CSRF field like a session variable and matches it when you submit it.
When you submit the form Laravel checks that value from the session value stored. if there is a mismatch an error is thrown !
:)
CSRF token protect the site from cross-site requests, means an external user can't duplicate the form and send a post request. Laravel create a random session token which we place in the hidden field using csrf_field() or Session::token() function. Laravel checks the session with hidden field value from the form before processing the form.
Try removing the form action. It should work.
Related
Basically I have an anchor tag (update) that gets the id of the request in the table and load the update view getting all the request details
<i class="fa fa-eye"></i> Update
This is then received in my method
public function update_request_view($idx)
{
//some code here to load the view and get details
}
The url then becomes http://localhost/dashboard/staff/request/update_request_view/48
Now when I try to save the update that I make using another method
public function update()
{
$idx = $this->uri->segment(5);
}
My $idx variable is empty. When I use $this->uri->segment(4), I get update_request_view.
I dont wanna use hidden fields since it will cause lots of security issues and also when I will be able to work this out i will encrypt the id. Why is my $this->uri->segment(5) empty and how do I get it?
Most likely, if I understand you correctly, it is because the update function is a separate page than http://localhost/dashboard/staff/request/update_request_view/48. So CI doesn't see any of the previous url variables. You can either submit to update/{$id} (action url) or you can use a hidden field; it is no less safer than using an id in the url as that can be just as easily manipulated with a change to the form action.
That being said, if you are really concerned about security you should restrict access to particular users for a given record using some sort of ACL.
I have a form which allows a user to create an unlimited number of fields. If this forms fails validation I want the user to return to this page with the form populated with their previous input values - i.e. I want these fields to persist.
With a normal form I could do this with {{ old 'title' }}, however, these additional fields are being generated through JavaScript and so I cannot add this PHP snippet. What is the best way for me to retrieve these previous input values?
3 ways to do this, cache, sessions and cookies.
cache and sessions are server side which is much better for security, however it will take extra time and effort for setting up, but if the data is not sensible and can be passed within cookies, better to the cookies.
The best thing about cookies for your current situation is: you can set it up directly from your front end JS code.
This is my previous question Get model id from route/url and the solution was very smart, however i am afraid of manipulation of this
{!! Form::hidden('event_id', $event->id) !!}
A user AntoineB has said : " It cannot be manipulated if you're securing your application properly, this is the best way to do it."
What can i do to secure my app from manipulating this field and to check if it corresponds to the event id that user actually clicked?
How to check this field?
As I commented before you can't as all event_id on your website are visible to all users that can use console in browser.
What you can do is encode/encrypt your event_id (Laravel provides encryption)
{!! Form::hidden('event_id', encrypt($event->id)) !!}
And when you send POST/GET on server side
$decrypted_event_id = (int)decrypt($request->input('event_id'));
$event = Event::find($decrypted_event_id);
Also you could make restrictions for specific user for particular event_ids
But encypting will hide the actual value of ID
Encrypting doesnt protects you but it makes harder for user to understand what ID your event has.
This is alternative 3rd party library for hash ids click you may use this if dont like long character of laravel encryption
Hmmm... What?
$request->event_id
this ones a head ache! From my understanding of laravel's flash method for sessions, once it has been set then called, it will be destroyed...
Session::flash( 'key', $data );
somewhere down the line
{{ Session::get( 'key' ) }}
I am using this for form validation. Now when the form does not validate, the application displayed the error, if I amend the form and post again, the database updates, the details are displayed correctly, but the error appears again! This is the same for if I post the form that doesn't validate, it displays the error, but if I then click the navigation link for the same page, it displays again!
Anyone come across this?
regards
Luke
I had this problem once when I did a return view() / return View::Make when it should be a return redirect()->route() in my Controller#update method.
Since Laravel 5.1, you can use the now() method which will only affect the current request :
Session::now('key', 'message');
or
session()->now('key', 'message');
Out of the laravel docs:
The flash method stores an item in the session that will expire after the next request. It's useful for storing temporary data like status or error messages.
This means, it's available at the current and also the next request. It does not get flushed automatically if you access it. To do so, use Session::flush('key');.
Session Flash preserves the session data for 2 requests because it was meant to be used during redirection.
However, I've came across a use case where I do want to use flash for just 1 request in the next view and found an easy way to do it, which is to pull from the session rather than get it. The Session::pull() gets the session data and removes from the session.
#if (Session::has('message'))
<div class="alert alert-message">{{Session::pull('message'}}</div>
#endif
Hope this helps!
It's probably some other issue with your code, if you could share your code it would help us get a better insight into this issue.
You can use the below code snippet to Flash Error messages to your laravel blade template.
#if (Session::has('message'))
<div class="alert alert-success">{{Session::get('message')}}</div>
#endif
I once had similar issue because i used Session::reflash() in my controller.
Ensure you don't have Session::reflash() somewhere in your controller or anywhere in your application, as it flashes whole session... use example: Session::keep(array('username', 'email')); to reflashing only A Subset Of Flash Data
An easy way to flash a message once when you are creating a view (and not redirecting) is:
Session::flash($key, $value);
Session::push('flash.old', $key);
Refer here.
The flash method is meant for storing the data for the next request. Ideally after flashing the data to the session you should be redirecting to a new route. (This is what the accepted answer suggests.)
But if you are not redirecting you can call the forget method after displaying the session in your blade template:
{{ session()->flash('key') }}
#php
session()->forget('flash-info');
#endphp
I am trying to learn PHP with codeigniter, had have come across a problem. Am writing a user registration form with form validation.
If the user input has passed validation, it will check database if the email is already existing in the database. If it exists, it should show an error to the user.
I am storing this error in the flashdata session variable, and redirecting the user to the registration form. But after redirection, the form set_values are empty.
I want it to be populated with the values the user already filled out earlier. If I use $this->load->view('registration_form').. the field values are populated like I want, but the database error does not show, since it's not a new server call.
Does the form_validation values (set_value()) disappear on a redirect? If it does, how can I prepopulate the field values?
If you redirect when a form that posts to itself is valid, then yes you will lose set_value() as there is now nothing in the $_POST array - this is why you redirect, so a user won't resubmit the form on refresh.
What you should do is create your own validation rule in a callback function in the same controller. See here http://codeigniter.com/user_guide/libraries/form_validation.html#callbacks
What you need to do is pass the email to a model in the callback that will check the email against your database and return false if it is already there. This way, your form will not be valid and not redirect if the email already exists.
I was just adding a form to an old CI installation minutes ago and had this issue. It's funny you should mention it.
Since set_value() and the related functions are only reading the $_POST data, they will not hold the value after a refresh. You have a few options:
Don't redirect until the form is valid.
Assign the $_POST array to a flashdata (session) variable, and copy it to the $_POST array manually after the redirect
Write your own group of functions to handle this with either flashdata or session data or other method, and don't use the set_value() functions.
For the quickest fix, use #1. I don't like manually setting $_POST values, so I don't really endorse #2, but it should work. For the long term - use #3. I find that the CI form handling is often lacking, and my personal form interaction code base has grown quite a bit over time.