akash raigade akash raigade - 2 months ago 6
MySQL Question

How to make POSTing secure and valid when submitting a form?

In a form I have a Submit button , which have a value of a INDEX of a row on which operation is going to be performed. But now my most concern is if some one for fun changed this VALUE of button (By inspecting code in browser and then editing it's code) then my inputs will be saved in that INCORRECT ROW. so how can I make this thing SAFE please relate your inserts with following example ?

Example :
I have an exam table

----------------------
Fill Marks of students
----------------------
Form to fill marks

a <input name='marklist[]'>
.
.
d <input name='marklist[]'>

<input type submit name=‘submit_info’ value=‘4(INDEX)’>

---------table scheme--------

INDEX|exam_name|student_list|

1 | dec 2013 |a,b,c,d |

4 | dec 2014 |a,b,c,d |


Now if someone change VALUE of submit button it will be a fatal error.
So How can i make this scheme secure by any means ?

Answer

It's not possible to prevent nefarious content in an HTTP POST. You can add checks and constraints in javascript to help avoid accidental modifications. But even if you do all of that work, at the end of the day, you cannot prevent the client computer from sending whatever it wants.

All the end user has to do is to setup a local proxy on their machine, catch and hold the HTTP POST in the proxy, and modify it however they desire, and release the modified POST back to your web server. There is no way to prevent the client from submitting a submit_info value of whatever they want.

The only way to "secure" this would be the code running on the server that processes the POST. The server side would need to do verification checks that the content of submit_info is acceptable.

And to do what it sounds like you want to do, that require a check of the POST against what the web server sent to the client, and that would require saving (persisting) the "state" of the session.

There are several mechanisms that can be used to save the state of the web session. Some frameworks (such as Django) save the web session state in the database.


Bottom line... you can't prevent nefarious POST contents from being sent to your web server.