Saturday, July 16, 2022

[FIXED] How to create a form where input elements are already set but one must remain fixed?

      , ,      No comments   

Issue

I am feeding my forms preset data values from another file in a MVC application. One of the data set attributes, the ID, is to remain fixed and cannot be updated. Only the names, phones numbers etc can be updated. My issue is that I need to have something set with this that I can submit, just like the other preset data; however unlike the other preset data I cannot put this in a form as a user may change it. 

  <form action="crud.ctrl.php?act=update" method="post">
      <label>ID: <?=$data1["id"]?> <br /><br>
      <label>First Name:</label> <br><input type="text" name="fnameUP" id="fnameUP" value="<?= $data1["fname"] ?>"> <br />
      <label>Last Name:</label> <br><input type="text" name="lnameUP" value="<?= $data1["lname"] ?>""> <br />
      <label>Phone:</label> <br><input type="text" name="phoneUP" value="<?= $data1["phone"] ?>""> <br />
      <label>Email:</label> <br><input type="text" name="emailUP" value="<?= $data1["email"] ?>""> <br />
      <label>Location:</label> <br><input type="text" name="locationUP" value="<?= $data1["location"] ?>""> <br />
      <label>MC:</label> <br><input type="text" name="mcUP" value="<?= $data1["mc"] ?>""> <br />
      <label>Position:</label> <br><input type="text" name="posUP" value="<?= $data1["pos"] ?>""> <br />
      <label>Department:</label> <br><input type="text" name="deptUP" value="<?= $data1["dept"] ?>""> <br />
      <input type="submit">
    </form>

Solution

one way to solve this issue would be to have another unique column in the original table. For example you could 'salt' the ID and hash that or use some other form of creating a long enough string to prevent the user to guess any of the existing "IDs".

And then just include that column in the form as a hidden input field for example

<input type="hidden" name="custom_id" value="<?=$data1["custom_id"]?>">

that way even if the user does mess with the ID, there is a very small chance for him to be able to change another record. The more complex your hashing, the smaller the chance.

If that is not secure enough, my next idea would be to have another column/table in the database where you generate a hash when retreiving the data that will be shown in the form and only allow updating the records that have that value set. that way the only "editable" rows are the ones where someone requested the edit form in the last X minutes.



Answered By - flynorc
Answer Checked By - Clifford M. (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...