All geek questions in one place

Hack flag values

I am writing a website app to allow the user to choose the toppings for their pizza using checkboxes. Each flag is assigned a name for the value attribute, for example:

<li name="meatItem" id="m1"><input type="checkbox" name="checkItem" id="Pep" value="1.5">Pepperoni</li>

I am going to write a php script that skips all the flags and determines the price for the pizza, adding all the values โ€‹โ€‹from each flag. But I'm worried that the HTML is hacked to change the attributes of the value, which will obviously lead to an inaccurate setting of the php price of the script. Is this a serious problem? Is there any way to avoid this?

+4
source share
2 answers

Instead of having price values โ€‹โ€‹directly in the HTML checkbox, you should have a checkbox value instead of โ€œcodeโ€ that matches what you want. Like 1 = cheese, 2 = pepper, etc. Then on the backend, enter the code => price comparison and calculate the price + which fillings are needed in PHP, based on which codes were indicated. Or, as you say, it is possible for someone to crack these values.

+6
source

Simply put, never trust anyone that the user can access.

Yes, someone can easily change these values, in fact they can send their own form to their page with any values, etc. that they want.

You better take the provided data (i.e. POST / GET) and first check the names and data for what it should be (i.e. strlen() , regex for A-z0-9, possibly an array with all the valid data, and t .d.), and then when you are happy, all the data presented is valid, then get your prices from a database / other source based on the names of the forms.

Just placing them on the form, someone will change the price by 0.00 and get them for free. Thus, these are meaningless posting prices in the form, when you still have to check them from your own source (mysql, etc.).

+5
source

Source: https://habr.com/ru/post/1502923/

More articles:


All Articles