Question about POST method security

Question

Let say I have a post from like this:

<form action="myApp/form_action.asp" method="post">
  First name: <input type="text" name="fname" /><br />
  Last name: <input type="text" name="lname" /><br />
  <input type="submit" value="Submit" />
</form>

So, let say there is a really bad buy who want to do something in my application. For example, my form_action.asp not only accept param "fname", "lname", but also "gender", can he/she make a request on their own , like this....

<form action="http://www.myDomain.com/myApp/form_action.asp" method="post">
  First name: <input type="text" name="fname" /><br />
  Last name: <input type="text" name="lname" /><br />
  Gender: <input type="text" name="gender" /><br />
  <input type="submit" value="Submit" />
</form>

*Updates:* I don't want the user submit the gender, because I don't want to modify his/her gender after he/she assigned.

If he/she can submit this query, it there any way to avoid him/her to do so? thank you.

Answer 1

The reason you can't avoid it is that he doesn't need to make his own copy and submit it from another domain. He can easily modify your site live with javascript (e.g.: firebug) and send the fake request identical to a valid one.

Answer 2

You cannot avoid this. Inputs coming from the clientside are NEVER secure and can ALWAYS be tampered with.

You'll have to implement your checks serverside, in the ASP file itself.

Answer 3

If your form action file i.e. form_action.asp doesn't call for the $_POST['gender'] variable i can't see how it would affect your script.

Make sure that you are sanitizing your variables though, so for first name and last name you would only really want to accept A-Za-z, space and maybe hyphens and apostrophes.

By doing this it doesn't really matter what they send to your form because most of the tags, brackets etc will be removed and any script injected won't run.

Make sure you also escape the variables before you enter them in your database, I use mysql_real_escape_string in php, but don't know any asp so you will have to look it up.

Answer 4

You're thinking about this the wrong way. Forget about HTML forms. They're not what your server handles. It handles HTTP requests.

And (pretty obviously) people can send you HTTP requests that contain whatever they want. Not just additional fields, but also fields with values that the form would not allow, or fields with names that are 5000 characters long and/or values that are that long.

So what you absolutely must do is define what constitutes valid input and reject input that isn't. In your case, it's pretty simple: if the form is not supposed to contain a "gender" field, then have the server ignore such a field, or abort with an error if it's present.

Usually you don't have to do anything to ignore fields. But you definitely have to write your app in such a way that it does not accept field values that are not valid.