How be secure when using user sensitive data in textareas and pass them to javascript/ajax
I have the following code
<textarea class="input" id="input" onkeypress="ifenter(event,'<?php echo $id ?>"></textarea>
Obviously in this case the $id is vulnerable and anyone using simply firebug can alter the $id and send an different variable. How should I act here? I'm stuck and no开发者_开发百科 ideas come to mind at the moment.
Should I hash it? And if I do that, how can I unhash it? By encrypting it using an algorithm, it would be hackable don't you think?
You need to sign this ID with a secret. Lets say that you have an ID $id
and a secret known only by the server $secret
, then instead of putting only <?php echo $id ?>
you would put:
<?php echo $id + "some delimiter" + hash($id, $secret) ?>
Where hash()
is some hash function, like MD5 or SHA-1. Then, you can check on the server if by concatenating the ID and the secret you get the same hash. If yes, everything is fine, if no, somebody has changed the ID.
This is the simplest way. There are already some better (harder to crack) solutions, like HMAC.
Edit: Also, depending on what this ID is, you should consider if you're doing the right thing. If it's a user ID, you could use sessions instead, if it's some other resource ID, you should instead check if the logged in user has permissions to modify this resource.
精彩评论