Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTML - How to prevent user from editing form's value?

Tags:

php

user-input

webforms

I am developing a simple web apps that allowed user to key in information using a form when I discovered I could edit that form's input default value using Chrome -> Check Element and submit the page with a different hacked value.

Code:

<input id="radioOk_100237" name="radio_100237" type="radio" checked="" value="0">

As normal, I load the page then using Google Chrome Check Element, I targeted this checkbox and changed the value to "9" before submitting it, in my background page, it reads "9" instead of pre-set value of "0" from this input element.

If every user changed the value and submit, it will completely thrashed my DB. How is this possible and am I supposed to encrypt the page or do something prior to submitting? I am totally lost, btw I am using PHP.

like image 257
maomaopop Avatar asked May 29 '11 15:05

maomaopop

People also ask

How can you prevent users from editing input content using HTML?

The readonly attribute can be set to keep a user from using a text area until some other condition has been met (like selecting a checkbox, etc.). Then, a JavaScript is required to remove the readonly value, and make the text area editable.

How do I stop people from editing HTML?

You can't prevent users from modifying, adding or removing elements in the DOM. If you want that kind of control you should store the values of the elements you are outputting in an object and then compare what's coming in with the form post.

How do you handle inputs in HTML?

The <input type="submit"> defines a button for submitting the form data to a form-handler. The form-handler is typically a file on the server with a script for processing input data. The form-handler is specified in the form's action attribute.

What are the possible data input control in a HTML form?

The input required attribute specifies that an input field must be filled out before submitting the form. The required attribute works with the following input types: text, search, url, tel, email, password, date pickers, number, checkbox, radio, and file.

2 Answers

For typical users, you can just add the attribute readonly to the form field(s).

For more advanced users/hackers that try to manipulate your server, you need to validate every piece of data that is submitted to ensure that tampering is caught and rejected. There is no client-side technique for this that is tamper-proof.

like image 86
AJ. Avatar answered Sep 19 '22 16:09

AJ.

You need to be doing server-side validation, to make sure the values you get from your client app make sense. If you know that a value of "9" will "thrash your DB", don't accept values of 9 from the client.

Obligatory XKCD link: http://xkcd.com/327/

like image 32
eaolson Avatar answered Sep 22 '22 16:09

eaolson
Sign in to Comment

Related questions

Remove character limit in VS Code PHPDebug
Remove "(optional)" text from checkout fields in Woocommerce 3.4+
Transfer variables between PHP pages
Can FPDF/FPDI use a PDF in landscape format as a template?
can't connect to mysql with php
PHP Soap non-WSDL call: how do you pass parameters?
Retrieve data from mysql by php to create flot graph
PHP mkdir( $recursive = true ) skips last directory
PHP: Detect required version
Getting the key of the only element in a PHP array
Method Chains PHP OOP
How can I forward $_POST with PHP and cURL?
Howto use FB Graph to post a message on a feed (wall)
How to manually specify syntax highlighting for a specific extension in Eclipse?
How can define variable inside smarty template file? [closed]
create account then verify (or verify then create account)
Unicode identifiers (function names) for non-localization purposes advisable?
TCPDF page rotation
How to securely create PHP variables with extract
Are Regular Expressions universal? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!