problem with "inspect element"

Asked

Viewed 860 times

1

Friends;

I am developing an application and have a manager where I list the database records. The information is arranged in a table and I have a checkbox for selecting the records that can be edited or deleted. That way:

<input name="selecionados[]" id="110" class="iCheck" type="checkbox">

id is the primary key of the record. What happens to me is that if I modify id value through "inspect element" I can change or delete any record in the database. Which could cause a big problem. To delete I’m using Jquery and the $.post. I could encrypt the id value and make it a little difficult for anyone who wants to bypass the system. But what I’d like to know is if there’s a way to take the original value in html and not the value edited by "inspect element"?

  • The value of the "Inspect element" is the html value, because this browser feature allows you to precisely change the html, which is what you see. You could pass the encrypted value and/or do a check before performing the action.

1 answer

1

Actually it is not a problem, but it would be, if the user manipulated the value of id="110" and change any record that you are not allowed to change.

Assuming the system only allows the user to edit proprietary posts, the user X can only change the content itself id="1" , id="2" , id="3". If the user X manipulate the input and try to edit the id="4", the system must validate the action and block.

On the same hook as the above example, if the user X manipulate the input between the values of the id’s that are his own, it does not fit to be interpreted as error. There are N ways to select an id, it can be via input select, radio, checkbox... If it does not cause undue access, inspecting element is nothing more than a 'alternate interface'.


It is up to you to consider whether inspecting element and changing id would cause an improper access or just selecting a valid item within a list of accepted options.

Describe your case further if possible. We can help you better.

  • I took care to display and manipulate the data only for the logged in user. The "handler" would not have the possibility to alter or delete another user’s data. But in this particular one it involves products and tax movements. Then deleting a record could affect totalization if the deleted record was not part of the movement.

  • "registro excluído não fizesse parte do movimento em exibição" this passage leads me to believe that your problem is validation. What other references you are using to ensure the action?

  • 1

    Yes. Could be. Your comment gave me a great light.. Actually solved the problem. I have an entity called movement and associated with it a table called movement_items. I need to make sure that when changing or deleting an item, it belongs to the movement in question. If there is editing by the inspector, there will be no possibility of changing other movements of others. Thank you!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.