This is my previous question Get model id from route/url and the solution was very smart, however i am afraid of manipulation of this
{!! Form::hidden('event_id', $event->id) !!}
A user AntoineB has said : " It cannot be manipulated if you're securing your application properly, this is the best way to do it."
What can i do to secure my app from manipulating this field and to check if it corresponds to the event id that user actually clicked?
How to check this field?
As I commented before you can't as all event_id on your website are visible to all users that can use console in browser.
What you can do is encode/encrypt your event_id (Laravel provides encryption)
{!! Form::hidden('event_id', encrypt($event->id)) !!}
And when you send POST/GET on server side
$decrypted_event_id = (int)decrypt($request->input('event_id'));
$event = Event::find($decrypted_event_id);
Also you could make restrictions for specific user for particular event_ids
But encypting will hide the actual value of ID
Encrypting doesnt protects you but it makes harder for user to understand what ID your event has.
This is alternative 3rd party library for hash ids click you may use this if dont like long character of laravel encryption
Hmmm... What?
$request->event_id
Related
Not entirely confident I have understood security in Laravel forms enough. For example, if a form contains
<input type="hidden" name="user_id">
then obviously a hacker could change the value before submitting an update.
While I have looked here at CSRF, I've not fully understood if this is enough protection?
E.g. Taking the above, if I go to a site and open a form to edit a record I'm permitted to view but not change, and maliciously alter the "user_id", is it enough that the form is protected with {{ csrf_field() }} or must I employ some further security such as Crypt::encrypt($id) to hide the user_id (held in a database) and Crypt::decrypt($id)?
Is it considered a bad practice to expose a row id (like a user id) in a client browser (even though everything is sent over https)?
Many Thanks
No, it's not enough to use just CSRF token in this case. You also need to use policies, guards, middleware to protect your app.
In this case, someone can alter the user_id if you read it from the form and use after that, so you need to use a policy like this one to protect data (this example is from the docs):
public function update(User $user, Post $post)
{
return $user->id === $post->user_id;
}
Also, when you need to use user ID, always use auth()->id() or auth()->user() if you need whole object. Never read user ID from the form.
The Laravel framework stores the value of this CSRF field like a session variable and matches it when you submit it.
When you submit the form Laravel checks that value from the session value stored. if there is a mismatch an error is thrown !
:)
CSRF token protect the site from cross-site requests, means an external user can't duplicate the form and send a post request. Laravel create a random session token which we place in the hidden field using csrf_field() or Session::token() function. Laravel checks the session with hidden field value from the form before processing the form.
Try removing the form action. It should work.
is there a way to customize Laravel 5 resource URLs ?
For example, change user/1/edit to user/edit.
That's because I don't want anybody to see the id in the URL. I think it is database information and shouldn't be revealed.
The point is that I want to do this without changing my routes. On the other hands I want to do this by using resource routes I have and not by adding some new routes to them , as you know when you define a resource route in your project it automatically adds some predefined routes to the route table and you are forced to use them in the way they are. For example you have to send a GET request to user/{user} for showing the user. Now I want to have a URL like user/{username} for doing this without adding a new route, IS THAT EVEN POSSIBLE?
if there is a way for achieving this I appreciate it if you share it here.
Thanks a lot
Since in most cases id is an auto incremented value and guessable, better you can use any other unique column of users table here, e.g username and then using that column instead of id in resource controller. Suppose you've an unique username column in your table So, if you use that instead of id your call to user edit will be like:
{!! route('user.edit', $user->username) !!} // let's say username is shahrokhi
which is equivalent to
user/shahrokhi/edit
Now for example, in your resource controller to edit a user details code may be like:
public function edit($username)
{
$user = User::where('username', '=', $username)->firstOrFail();
// rest of your code goes here
}
And so on for other methods.
On the page, there will be several posts by a user. Each post has an id # to identify it which is used when editing or deleting the post. With blade, I can make it so that hidden ID div only shows up when the authenticated user is on their own profile (since only they are allowed to edit or delete the posts).
However, I also have a liking feature that also uses that hidden ID div. I don't want someone to view the page source, change the ID, then click the like button. Is there a way to include the ID in the view, but not allow it to be changed?
I could try do to some validation on each like such as match the user, body, time posted, and ID and if that doesn't match then throw an error. Curious if there's a better way.
View:
<div class="post-like">
Like
</div>
Controller:
The $postId is that hidden ID div
public function getLike($postId)
{
$post = Post::find($postId);
if (!$post) {
return redirect()->back();
}
if (Auth::user()->hasLikedPost($post)) {
return redirect()->back();
}
$like = $post->likes()->create([]);
Auth::user()->likes()->save($like);
return redirect()->back();
}
It's not wise expose users' ID like this, but if you really need it, Laravel provides a way to handle users' action authorization. It can be done using either policies or model scopes.
Alternatively, you can ignore those authorizations and use UUID instead ID.
There is a nice package that handles it for you. Basically you'll just need to add a new field to the users' table.
In my applications I use both of them.
If I understand your question correctly, here's one idea: you can hide the actual post ID by concatenating your ID with some server-side only "key" and hashing.
For example:
In your app.php you add something like "post_mask_key" => "super_secret_123456"
...and in your code, something like:
$maskedPostId = sha1(\Config::get("app.post_mask_key") . $postId);
Then, share $maskedPostId with your view, which will be embedded into the HTML. The user can try to change it but when it is submitted, you can re-generate the hash easily (since you know both the key and ID server side) and compare the two.
Note: this approach is cryptographically weak but should be sufficient for masking a non-critical item like a post ID.
I am creating a TextBox using the html helper methods in my View.
#Html.TextBoxFor(m => m.Address, new { #readonly = "readonly" })
I would like this textbox to retain its value when posted, even if a malicious user tries to change it.
I am testing my code in IE, and can easily use the developer tools to remove the attribute "readonly".
Is there any implementation in MVC3 to retain values for the textboxes when posting? I am trying to avoid going to the database to get the original value.
Is there any implementation in MVC3 to retain values for the textboxes when posting?
No, there isn't. This is not possible. If you have sent the value up to the client you can no longer trust it. As you have already discovered it is trivial for the user to change the value of hidden and readonly fields. So if those values aren't meant to be modified by the user they should not even be part of the HTML. You should keep them on the server. Well, actually you could display them as readonly fields just for information to the user but when the form is submitted never use this value but use the real value that is stored on your server (maybe in a database or whatever persistent store you are using).
Why not try serializing everything you want to retain, encrypt it using a key only known to the server and store the encrypted value into a hidden input. You can still display the non-encrypted values in the form controllers, but at the server side, you will use the encrypted value send via the hidden input for actual processing. This way if a malicious user changes the standard inputs, it doesn’t matter, coz you will be using the encrypted copy.. A bit of a sidewinder, I know and its similar to how web forms maintains viewstate across posts.. Cheers
noob question. when I pass an id in the route to query my DB, is there a way to prevent the actual id from showing in the URL in browser.
If not, is there a way to prevent the user from changing the id in the URL and access other information?
Some sort of validation you get from clicking the link on the previous page or something.
I hope this make sense.
You could retrieve your record with an hash instead of the id directly.
You can use package like https://github.com/mitchellvanw/hashids (there must be some others)
Also, if you just want to hide it, you can POST it to your page. Don't forget that users can still change the form informations.
U can use base64_encode() and base64_decode to hide url from users and preventing them to change.