tags:

views:

93

answers:

1
+1  Q: 

relying on hidden inputs and query strings

Suppose that I have a request handler that accepts an argument: key

And let the request be:

http://example.com/2323

When the handler receives a GET, relevant data is fetched from db based on this key, fed to a form and displayed. In the process, the value of key is put in a hidden input.

When it receives a POST, it has the key argument from the query string, as well as the key from the hidden input, which are the same, provided that the user has not tampered with them.

I'd like to know if it's the hidden input or the query string argument I should rely on when the data on the form will be saved to db. The problem is that query string may be modified by the user prior to post, just like the hidden input may also be modified since the source is open to the user.

+9  A: 

Well, any data that you send to the client has the potential to be modified (it may not be trivial, but the possibility exists, nevertheless).

There are many options; Querystrings, hidden fields, cookies to name a few. Each of them suffers from this very drawback - the possibility that a malicious user may modify the data in those entities.

Your best bet is to use strong encryption. Whether it is the data in the hidden field or a cookie, it can be easily encrypted. Then when the request is received, it can be compared with the value existing before the earlier response and it can be decrypted with the reasonable faith that the data has not been tampered with. For a good example, you should research how ASP.NET Viewstate works.

So, to answer your question, you should rely on neither state persistence method without additional security implementation. As they say, Security through obscurity is not security at all.

Cerebrus  2009-05-16 06:00:42
Very nice answer Cerebrus
roosteronacid  2009-05-16 13:11:15
Why, thank you, @RoosterOnAcid! Quite a different and interesting website you got there. :-)
Cerebrus  2009-05-16 13:31:24
Thanks, Cerebrus. I wonder if similar mechanisms to asp.net's viewstate exist in other languages, such as python or php, or what measures do they to minimize this risk?
shanyu  2009-05-18 06:40:37
@Cerebrus: Hehe, hopefully that was meant as a compliment? :)
roosteronacid  2009-06-04 01:52:25
@RoosterOnAcid: It sure was a compliment. I did like the website design. ;-)
Cerebrus  2009-06-04 05:58:31
+1 - A great answer overall.
Tim Post  2010-05-14 18:30:11

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?