Register to post in forums, or Log in to your existing account
 

Post new topic  Reply to topic     Home » Forums » SlightlyMorbid
Vijilante
SubAdmin


Joined: 18 Nov 2001
Posts: 5182

PostPosted: Sun Oct 12, 2008 1:09 pm   

Hacking the userid hidden input
 
It looks like you have this properly protected. When I set the field to 1 and tried adding a category I got back an 'invalid session data' message. This shows you are comparing that value with the information from the login.

I would suggest that eliminating the field entirely would be good. You are currently doing a lookup each time the page is generated, then posting that information along with the whatever the user entered. Next is another lookup and a compare to validate the entry. This can be simplified by eliminating the hidden field, and just using the recorded session value on the server side.
Reply with quote
Zugg
MASTER


Joined: 25 Sep 2000
Posts: 23377
Location: Colorado, USA

PostPosted: Mon Oct 13, 2008 5:01 pm   
 
Yep, I'll be removing the field. It was left over from the first implementation before I was putting that data in the session itself.
Reply with quote
Zugg
MASTER


Joined: 25 Sep 2000
Posts: 23377
Location: Colorado, USA

PostPosted: Mon Oct 13, 2008 11:59 pm   
 
The userid hidden field has been removed. Let me know if you run into any errors on any pages or find some other way to hack a page. But the whole site is session based now, and the session data is stored in our database, not in the cookie. So this should be pretty secure.
Reply with quote
Display posts from previous:   
Post new topic   Reply to topic     Home » Forums » SlightlyMorbid All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
© 2009 Zugg Software. Hosted on Wolfpaw.net