Hi Assassin

Thanks for taking the time to help me out with this. Sorry if my problem wasn't entirely clear. Let me go a little more in depth to try to clarify the points with some additional / revised coding examples, and I'll respond to your answers as well.
The code involved is over two pages; one that represents the user sending a request, and the other that represents the user receiving the request, and updating the appropriate information. Thus, the information can actually be inserted into the form from any page using $_GET, leaving that page theoretically insecure to even a simple link outside of the site, even if there were no Javascript intervention. To prevent that, I use an sha1() hash that is generated within the site, and appended to the list, preventing forgeries from outside generation.
However, the user can edit their own page (like a personal blog, myspace, whatever), and they are allowed to use Javascript (I know many of you are probably wondering wtf is wrong with me upon saying that). So on their page, they could create a script that sends this information, but could also (presumably) force-submit that information once they've redirected you back to that page with the appropriate scripting.
For Server Side validation, I have the authenticity of information validated by a hash variable that is sent by another page that is generating the information for it, which is received through $_GET.
- Code: Select all
$point_type = "number_of_rocks";
$increment_number = 10;
$from_user = "Joe";
$user_pass = "xyz";
// Assume that the three variables above can be edited.
$hash = sha1($point_type . $increment_number . $from_user . $user_pass);
echo "
<div><a href='next_page.php?pType=" . $point_type . "&user=" . $from_user . "&inc=" . $increment_number . "&hash=" . $hash . "'>Link</a></div>";
Now, you click on the link from the other page, and receive the information on the second page.
- Code: Select all
if(isset($_POST['submit'])) {
$checkPoints = array('number_of_rocks' => 1, 'number_of_plates' => 1, 'number_of_pencils' => 1);
if(isset($checkPoints[$_POST['point_type']])) {
if(($_POST['increment_points'] + 0) < 500)
{
// Check User's Password
$query = "SELECT pass FROM user WHERE username='" . protectSQL($_POST['user']) . "' LIMIT 1";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0) { $fetch_pass = mysql_fetch_assoc($res); }
// Test Hash
if($_GET['hash'] == sha1($_POST['point_type'] . $_POST['increment_points'] . $_POST['user'] . $fetch_pass))
{
// Submit SQL
$query = "INSERT INTO `table` ( `point_type`, `inc` ) VALUES ( '" . protectSQL($_POST['point_type']) . "', '" . ($_POST['increment_points'] + 0) . "'";
mysql_query($query);
echo "You submitted the entry.";
}
}
}
}
if($_SESSION['logged_in'] == true) {
echo "
<form action='thispage.php?user=" . cleanString($_GET['user']) . "&hash=" . cleanString($_GET['hash']) . ">
<input type='text' name='point_type' value='" . cleanString($_GET['point_type']) . "' /><br />
<input type='text' name='increment_points' value='" ($_GET['inc'] + 0). . "' /><br />
<input type='submit' name='submit' value='Submit' />
</form>";
}
My question is, what happens when somebody adds a script to that first page that runs this:
- Code: Select all
// Assume the hash has all the correct variables
$hash = sha1($point_type . $increment_number . $from_user . $user_pass);
<body onLoad='javascript: var getDiv=document.getElementsByTagName('div')[0].innerHTML; var hash = a.substring(a.indexOf("&hash=" + 6, a.indexOf("Link") - 1); window.location("http://thesiteabove.com/yourform.php?hash=" + hash + "&user=Joe"); document.getElementsByTagName('input')[0].value='number_of_rocks'; document.getElementsByTagName('input')[1].value='450'; document.forms[0].submit();
echo "
<div><a href='next_page.php?pType=" . $point_type . "&user=" . $from_user . "&inc=" . $increment_number . "&hash=" . $hash . "'>Link</a></div>";
The point of the script is to get the information you need on the first page, redirect the user to their own page (where they will be logged into the site, bypassing the Server Side preventions), input the desired information into the form, and then submit the form using the Javascript submit() function. (( As opposed to the preferable alternative, where the user is redirected to his page, but is then given the option of submitting the form or not, after considering the values. ))
Does this make sense?
My original question then, is what is stopping anyone from doing this. I have managed to redirect the page to form, bypassing the login issue, but the submit() function doesn't work after redirection (thus far). I'm not sure why, and I'm looking for a reason so that I can understand the security measures behind it.