ankh2054 Posted May 8, 2014 Share Posted May 8, 2014 Hi all, I have created a fronted form to allow user to update their profiles (fields in the user template). It works, but I am sort of wondering what security checks I should put in place to ensure that a user can only update his/her own fields? // if user isn't logged in, forward to login page if(!$user->isLoggedin()) { $session->redirect("/login/"); } //***UPDATE PROFILE***// if($input->post->profile_submit) { //instantiate variables taking in the form data $email = $sanitizer->email($input->post->email); $full_name = $sanitizer->text($input->post->full_name); //Update user details $user->of(false); $user->email = $email; $user->user_full_name = $full_name; $user->save(); $user->of(true); } //***UPDATE PROFILE***// //** Update details form *// <form class="form-horizontal" action="./" accept-charset="UTF-8" autocomplete="off" method="post"> <div> <input type="text" class="form-control" id="inputFullname3" name="full_name" value="<?php echo $user->user_full_name; ?>" > </div> <div> <input type="text" class="form-control" id="inputEmail3" name="email" value="<?php echo $user->email; ?>"> </div> <button class="btn btn-lg btn-primary btn-block" type="submit" name="profile_submit" value="profile_submit">Update Details</button> </form> //** Update details form *// 1 Link to comment Share on other sites More sharing options...
Valery Posted May 8, 2014 Share Posted May 8, 2014 Hi, You might want to check that the user is still logged in before updating their profile fields: if ($user->isLoggedin()) Link to comment Share on other sites More sharing options...
ankh2054 Posted May 8, 2014 Author Share Posted May 8, 2014 forgot that, but yet that is actually already included. Just wondering whether a user would be able to update someone else's profile? Link to comment Share on other sites More sharing options...
Valery Posted May 8, 2014 Share Posted May 8, 2014 The $user API variable is your connection to the current user viewing the page. Let me go into detail here a bit. When a user logs in, a session starts. The user's browser gets assigned an id. You can see it in the `wire_challenge` cookie. This long string of numbers and characters is the link between the user's browser and the server's session. PW checks these IDs every time to be sure you are still logged in and you are still the user you are. Suppose this IDs generation mechanism is exploitable to an attacker. Now they can craft an ID for any user currently logged in. Still with me? The trick here is that PW is good at making strong session IDs. You cannot simply "craft" the right session ID. So, to alter someone else's profile, the following must hold: - the targeted user must be logged in; - the attacker must have their session ID. I can see XSS as the only way to steal someone's cookie. So it's your job to validate user input and watch for XSS hacks--not only in your PW forms but on the whole site in general. 2 Link to comment Share on other sites More sharing options...
ankh2054 Posted May 8, 2014 Author Share Posted May 8, 2014 thanks for the helpful information Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now