After I knew how to ensure image loading. Bypassing form input fields for uploading unwanted files , I would like to give another example of 2 submitted files, one of them is hidden.
SQL table (id, name, jod, number)
CREATE TABLE `users` ( `id` bigint(20) unsigned NOT NULL auto_increment, `name` varchar(255) default '0', `job` varchar(255) default NULL, `number` varchar(255) default NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Form code (support member will edit his own information)
<form action="send.php" method="post" name="send" id="send"> <input type="text" name="name" id="name" value="John"/> <input type="text" name="job" id="job" value="Plumber"/> <input type=hidden name="number" id="number" value="1234"/> <input type="Submit" name="Submit" value="Submit"/> </form>
Subsequently, the firefox extension appeared, which can bypass various input data on the server side, bypassing verification and can cause great damage, so here it can stop the entire process and make it possible to change the value of the hidden table number for any type value="1" , which causes information about update for member, there is value number 1 .
This extension works as follows: it can fake input before transferring it to the server.
PHP Code Send.php
if(isset($_POST['send'])){ $name = mysql_real_escape_string($_POST[name]); $job = mysql_real_escape_string($_POST[job]); $number = mysql_real_escape_string($_POST[number]); $sql= "update users SET name='$name',job='$job' WHERE number='$number'"; mysql_query($sql) or die("query failed: $sql".mysql_error()); echo "Update Done"; } else { echo "Nothing to update"; }
Question How then to protect this simple form from such an input form? ~ Thanks
these problems really hurt because it made my site free to hack :)