Jump to content
ankh2054

User field update form security

Recommended Posts

Hi all,

I have created a fronted form to allow user to update their profiles (fields in the user template).

It works, but I am sort of wondering what security checks I should put in place to ensure that a user can only update his/her own fields?

// if user isn't logged in, forward to login page
    if(!$user->isLoggedin()) {
        $session->redirect("/login/"); 
    }

//***UPDATE PROFILE***//

if($input->post->profile_submit) {

    //instantiate variables taking in the form data
    $email = $sanitizer->email($input->post->email);
    $full_name = $sanitizer->text($input->post->full_name);

    //Update user details
      $user->of(false);
      $user->email = $email;
      $user->user_full_name = $full_name;
      $user->save();
      $user->of(true);
}

//***UPDATE PROFILE***//

//** Update details form *//

  <form class="form-horizontal" action="./" accept-charset="UTF-8" autocomplete="off" method="post">
<div>
 <input type="text" class="form-control" id="inputFullname3" name="full_name" value="<?php echo $user->user_full_name; ?>" >
</div>

<div>
 <input type="text" class="form-control" id="inputEmail3" name="email" value="<?php echo $user->email; ?>">
</div>

<button class="btn btn-lg btn-primary btn-block" type="submit" name="profile_submit" value="profile_submit">Update Details</button>
</form>
//** Update details form *//
  • Like 1

Share this post


Link to post
Share on other sites

Hi,

You might want to check that the user is still logged in before updating their profile fields:

if ($user->isLoggedin())

Share this post


Link to post
Share on other sites

forgot that, but yet that is actually already included. Just wondering whether a user would be able to update someone else's profile?

Share this post


Link to post
Share on other sites
The $user API variable is your connection to the current user viewing the page.

Let me go into detail here a bit.

When a user logs in, a session starts. The user's browser gets assigned an id. You can see it in the `wire_challenge` cookie.

This long string of numbers and characters is the link between the user's browser and the server's session. PW checks these IDs every time to be sure you are still logged in and you are still the user you are.

Suppose this IDs generation mechanism is exploitable to an attacker. Now they can craft an ID for any user currently logged in.

Still with me? The trick here is that PW is good at making strong session IDs. You cannot simply "craft" the right session ID. So, to alter someone else's profile, the following must hold:

- the targeted user must be logged in;

- the attacker must have their session ID.

I can see XSS as the only way to steal someone's cookie. So it's your job to validate user input and watch for XSS hacks--not only in your PW forms but on the whole site in general.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...