 |
Vijilante
SubAdmin
Joined: 18 Nov 2001
Posts: 5182
|
 Posted: Sun Oct 12, 2008 1:09 pm
Hacking the userid hidden input
|
It looks like you have this properly protected. When I set the field to 1 and tried adding a category I got back an 'invalid session data' message. This shows you are comparing that value with the information from the login.
I would suggest that eliminating the field entirely would be good. You are currently doing a lookup each time the page is generated, then posting that information along with the whatever the user entered. Next is another lookup and a compare to validate the entry. This can be simplified by eliminating the hidden field, and just using the recorded session value on the server side. |
|
|
|
|
Zugg
MASTER
Joined: 25 Sep 2000
Posts: 23379
Location: Colorado, USA
|
Posted: Mon Oct 13, 2008 5:01 pm
|
Yep, I'll be removing the field. It was left over from the first implementation before I was putting that data in the session itself.
|
|
|
|
|
Zugg
MASTER
Joined: 25 Sep 2000
Posts: 23379
Location: Colorado, USA
|
Posted: Mon Oct 13, 2008 11:59 pm
|
The userid hidden field has been removed. Let me know if you run into any errors on any pages or find some other way to hack a page. But the whole site is session based now, and the session data is stored in our database, not in the cookie. So this should be pretty secure.
|
|
|
|
|
|
|
|
