I'm using MVC for my data entry form and I have the following div:
<div>
<label>Bar Code:</label>
#if (Model.GiftCardId == default(int))
{
#Html.TextBoxFor(model => model.BarCode)
}
else
{
#Html.TextBoxFor(model => model.BarCode, new { #readonly="readonly"})
}
</div>
Here, I'm making sure that if the user is entering a new gift card, an editable input is displayed to allow the user to enter a new bar code. But if the user is editing an existing gift card, the input must display as a readonly input. My question is: can the user alter the readonly attribute of the barCode input and allow himself to enter a different one? The BarCode field is not the primary key in the table but it must be unique. I use the GiftCardId field to identify the record. But then, what's to stop the user from changing the GiftCardId as well when submitting the form? How can this be controlled?
I understand this to be a security-related question: ie. can the user hack the form to do something with it that you didn't intend.
The answer is yes, a user can use tools like Firebug to interfere with the markup, thereby changing the readonly attribute.
You don't show how the GiftCardId is collected from the user. Assuming it is collected and validatated in a previous view / action method, a more secure approach would be to redirect to a different view depending on whether the GiftCardId is valid / new or not.
Edit after comments
A couple of suggestions.
Store the GiftCardId in session state rather than send it to the browser.
Use a one-way hashing function to generate a token from the GiftCardId and send it to the browser in a hidden field. Rehash the GiftCardId that is posted back and check that it matches the original hash. See this short article on creating an MD5 hash.
simple answer is "Yes", all request can be forged, that's why you should never trust user inputs and validate the user inputs on the server side.
What you can do really depends on what you needs and the implication of the GiftCardId been modified. Things you could do in addition to the server side validation,
1. hide the field instead of making it visible
2. encrypt the GiftCardId
Related
I have a form with a field named description that can be either a text box or a select list depending on the input of previous form fields. How this works is if the values of the previous fields are a common scenario, we populate the description field as a select list with values stored in the database. If there are no matching scenarios in the database the user is allowed to type in their own description.
If the input type is a select list the submitted value is an integer (in string form) that can be used to query the database to get the description from the database. Otherwise we just use the text value submitted via the text box.
My question is: Once the form is submitted is there any way of determining the input type of the description field?
In my controller I was hoping to do something like this:
if(InputType == "SelectList")
{
Description = model.Description;
}
else if (InputType == "TextBox")
{
Description = GetDescriptionFromDB(model.Description);
}
I have considered checking to see if the description field parses to an integer, but that will not work if the user types in an integer to the text box. This is an internal app used by trained people who are not likely to enter junk values, but I still don't like to use logic that is dependent on what the user types in. I have also considered using Javascript and a hidden field to pass along the input type, but I was hoping for a cleaner solution.
I am currently using modelbinding to get my submitted form values, but am open to other approaches.
Edit:
People are suggesting alternate approaches, most of which I have already considered. What I really want to know is whether information regarding input types are passed to the server when a form is posted or just data.
Why not just add a hidden field to the form that would track what type of input the description field is:
if(InputType == "SelectList")
{
DescriptionInput = MyEnum.SelectList;
Description = model.Description;
}
else if (InputType == "TextBox")
{
DescriptionInput = MyEnum.TextBox;
Description = GetDescriptionFromDB(model.Description);
}
<select name="sel">
<option class="default">Default</option>
</select>
Every Html Form Element in the form submit to server it's take it's value to server. If you choose the select then it's value are off-course going to server.
You just need to parse it and it will work.
If there are no matching scenarios in the database the user is allowed to type in their own description
I thing Queti's answer is correct. You can use hidden field and pass the ID of existing matching field.
Remember that this is unsafe so better option is you can check them on server too that is their anything exist in server or not. This way your code are sure for what input he make from user.
I am really new in cakephp. I want to know how to restrict the user from opening pages such as Users for example when the user changes the url. Well, I am not good at telling my own problems so here:
for example: the user id is 1 so when he viewed his own details it should be something like users/view/1, but i dont want that user to view user # 2 when he changes the url to users/view/2. I hope you undersand. Thanks in advance!
assuming you have the current looged in user data store in a session somewhere.
the idea is to compare it against the passed id in the url
---- in your UsersController.php
public function view($id){
if($this->Session->read('User.id') != $id ){
// cannot continue...
// possibly redirect....
}
}
The solution can be found via google:
http://www.dereuromark.de/2011/10/05/common-cakephp-problems-and-solutions/
Basically, you get the current id from session:
$uid = $this->Session->read('Auth.User.id');
And compare it against the record you are displaying/editing.
If they don't match, you throw a NotAllowedException().
Protip: Don't append the id for edit/view etc, if it's the user's own profile or if it can only be viewed by the owner.
Same way you obtain the ID above for validation, you can also use this session user id to get the correct record in the first place.
Also, don't put the id into the view (forms) - not even as hidden field - but inject it into the data array prior to saving/validating.
You can also see a current CakePHP 2.4 implementation here - which can also be seen/tested live via corresponding website.
In mvc, when submitted to a controller, how can I verify that a user hasn't maliciously changed readonly hidden form fields?
When displaying the form fields render a hidden field that contains a hash for the displayed values.
When receiving the post request hash the received data again and compare this hash to the value of the hidden field.
Two options I can think of:
Encrypt the fields when displaying them, then decrypt server side and use the value
Don't store sensitive information in hidden fields and instead store them in the session (recommended)
I am using a strongly typed model for my view. I have a disabled text box whose value I update using javascript. The textbox is rendered using this
<%: Html.TextBoxFor(model => model.TotalAmount, new { disabled = "disabled"})%>
This renders a textbox with NAME and ID as 'TotalAmount'. TotalAmount is also a property on my model that binds to this view.
The javascript to update its value in the view is like this within its function:
document.getElementById('TotalAmount').value = {assigning new value here};
The function does get called and I can see the value in the disabled textbox when I change some value in another editable textbox. However, when I post this form to my action method as below :
[HttpPost]
public ActionResult Process (ProcessVM FormPostVM)
{
}
the disabled textbox property [TotalAmount] still has the old value but the editable textbox which I modified contains the new value I entered. Why does the disabled textbox not contain the javascript updated value?
I tried using
ModelState.Remove("TotalAmount");
in the action method above, but as I already figured it didn't work.
Any clues, tips?
Thanks for your time....
HTML input elements such as textboxes that have the disabled="disabled" attribute will never send their values to the server when the form is submitted. If you want to send the value to the server while still disabling the user from changing it you could make the textbox readonly:
<%= Html.TextBoxFor(model => model.TotalAmount, new { #readonly = "readonly" }) %>
Disabled inputs are never sent in a form submit, try using readonly attribute instead or hidden inputs
Disabled fields don't get posted. Try having a hidden form field that will send the value to the server, and set both TotalAmount and the hidden form field. On the server, use the value for the hidden field instead.
On a side note, since this looks like the order total, this is something I would recalcuate on the server rather than opening up the possibility of someone hacking the html and getting a discount on their product.
EDIT:
To the other's points, I'd forgotten about the readonly attribute. That will work too.
If you change it to use readonly rather than disabled, then this should give you the same functionality, but post the value.
Browsers don't post values back in disabled input controls, as you've discovered. Probably the easiest way to work around this is to hook onto form submission, and re-enable the input as the form is being submitted; the user won't have a chance to edit the value, and it should get posted with the rest of the request.
i think the last issue described it : please check it out :
Retrieving the value of a asp:TextBox
I have the following model:
Customer:
ID
Name
Address
Phone
Fax
I added an Edit view based on the above model from the controller. I modified the Edit view to only allow edit on the Phone and Fax field (deleted the rest). When I submit it I get an error. It works if I leave the Edit view untouched (5 fields). However I only want to allow change in the last 2 fields.
I am lost, please help. Thanks :)
If you are using the MVC ability to populate your entity/class i.e. your action sig looks like this:
ViewResult MyAction(MyObject object) {
...
Save(MyObject);
}
then you'll need to make sure you include the other field, non-editable, either as visible information or using Html.Hidden within the form scope to ensure you have a fully populated object. Remember, the web is stateless and the server has no idea which record you were editing unless it has the keys to do so retrospectively.
The other option would be to retrieve the original object (for which you'll still need the primary key) from the database, update the fields from your form data and then submit the changes. We'd need to know the specific error to be able to help further, the code you are using would also be a great help.
Without knowing more I would guess it has something to do with binding null to a non null property in your model. Can you give me more details on the model, the error.
If you are using the default mvc model binder then it will only bind the fields you submit. So either submit as hidden or dont use a model binder and manually map the variable from Request.Form into a copy of the model you pulled form the db.