Jump to content

User field update form security


ankh2054
 Share

Recommended Posts

Hi all,

I have created a fronted form to allow user to update their profiles (fields in the user template).

It works, but I am sort of wondering what security checks I should put in place to ensure that a user can only update his/her own fields?

// if user isn't logged in, forward to login page
    if(!$user->isLoggedin()) {
        $session->redirect("/login/"); 
    }

//***UPDATE PROFILE***//

if($input->post->profile_submit) {

    //instantiate variables taking in the form data
    $email = $sanitizer->email($input->post->email);
    $full_name = $sanitizer->text($input->post->full_name);

    //Update user details
      $user->of(false);
      $user->email = $email;
      $user->user_full_name = $full_name;
      $user->save();
      $user->of(true);
}

//***UPDATE PROFILE***//

//** Update details form *//

  <form class="form-horizontal" action="./" accept-charset="UTF-8" autocomplete="off" method="post">
<div>
 <input type="text" class="form-control" id="inputFullname3" name="full_name" value="<?php echo $user->user_full_name; ?>" >
</div>

<div>
 <input type="text" class="form-control" id="inputEmail3" name="email" value="<?php echo $user->email; ?>">
</div>

<button class="btn btn-lg btn-primary btn-block" type="submit" name="profile_submit" value="profile_submit">Update Details</button>
</form>
//** Update details form *//
  • Like 1
Link to comment
Share on other sites

The $user API variable is your connection to the current user viewing the page.

Let me go into detail here a bit.

When a user logs in, a session starts. The user's browser gets assigned an id. You can see it in the `wire_challenge` cookie.

This long string of numbers and characters is the link between the user's browser and the server's session. PW checks these IDs every time to be sure you are still logged in and you are still the user you are.

Suppose this IDs generation mechanism is exploitable to an attacker. Now they can craft an ID for any user currently logged in.

Still with me? The trick here is that PW is good at making strong session IDs. You cannot simply "craft" the right session ID. So, to alter someone else's profile, the following must hold:

- the targeted user must be logged in;

- the attacker must have their session ID.

I can see XSS as the only way to steal someone's cookie. So it's your job to validate user input and watch for XSS hacks--not only in your PW forms but on the whole site in general.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...