Buy Now
Sign in

Ways to prevent dubious database entries

webbusteruk , December 01 2018
W
webbusteruk 81
December 01 2018 #381933
Hi, we've searched the forums but unable to find a relevant thread regarding this.
On our website we have a basic form with pre-filled hidden fields. These fields have the attribute value="anyvalue" and type="hidden" on the frontend form, and when submitted an entry will be saved in the database table with these field values. Eg, one of these hidden fields are the submitting user's userid.
However, it is possible to alter the value of these hidden fields (eg by using "inspect" on Chrome browser) before submitting them - in effect, a user is able to save an entry in the database with a different userid.
What are the ways to prevent such "hacks"? We thought validation might be the way to go (check that submitted data matches the pre-filled data for these fields), but we're unsure how to go about this. Or is there a simpler way of doing this that we're missing?
W
webbusteruk 81
December 01 2018 #381934
Sorry somehow we are unable to edit the original post.
We know we could just not display the hidden fields in the form and put these data in Save Data under "Data override on Insert", however some of these fields are displayed to the user for them to check (eg First name and Last name) prior to submission (but not to edit).
GreyHead 63.2
December 01 2018 #381935
 Answer
Hi webbusteruk,
If they are not to be displayed then don't include them in the form - you can either save them in the User Session until the form is submitted, or look them up again.
If the data is to be displayed but not editable then show it as text using HTML; or set the inputs to disabled so that they will display but not submit.
As a double check, use a Custom code action on submit to delete any form data that should not be there.
Bob
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much
healyhatman 4.4
December 01 2018 #381943
1
In your Save Data action, under Data Provider, have you written "{data:}" ? If so, remove it and leave it blank.
Web developer at SkySpider.com.au
I don't work for ChronoEngine but I do accept donations paypal.me/healyhatman

You can now copy+paste code from forums
W
webbusteruk 81
December 04 2018 #381996
@GreyHead - Actually we just figured that out after posting this as well, hadn't thought of using HTML to display variables :doh:
@healyhatman - That's a good idea. Thanks! However, we wanted to save those fields in the database as well to be displayed in another table elsewhere.
W
webbusteruk 81
December 04 2018 #381997
Btw, is the edit post feature broken? Can't seem to edit previous posts..
Edit: seems to be working now.
healyhatman 4.4
December 04 2018 #381998
No problem. If you put something in the Data Provider, it will try to add any matching field's data to the query.
Web developer at SkySpider.com.au
I don't work for ChronoEngine but I do accept donations paypal.me/healyhatman

You can now copy+paste code from forums
W
webbusteruk 81
December 04 2018 #382006
Sorry, another question.
So currently we have read_data under load tab to display the user details on the form using HTML, and a second read_data under submit tab to retrieve variables to be saved into the database when user submitted the form.
Is that the right way to do it or is there a simpler way? Eg, can the data from load tab's read_data be saved into database without displaying them (as fields) on the form itself ?
healyhatman 4.4
December 04 2018 #382007
Sure. Better that way otherwise the user could change the fields. But Why are you reading data and saving it to the database again?
Web developer at SkySpider.com.au
I don't work for ChronoEngine but I do accept donations paypal.me/healyhatman

You can now copy+paste code from forums
W
webbusteruk 81
December 04 2018 #382008
The read_data under load tab is to display it on the form (but not let the user edit). As it is displayed using HTML, it is not saved in the form when submitted.
The read_data under submit tab is to read the user details (from a different database) and save them into chronoforms form's database. Subsequently the form's database is displayed on a page using CC. We understand the other way to do it would be to load the user details using CC and display it then, but we figured it'll make it easier for us to find a specific entry in the form's database if there are user details attached to it.
On a unrelated question, how does one access a variable using PHP?
$this->get("save_data6.aid");
accesses the saved data's fields;
$this->data('fieldname');
accesses the submitted field data;
but how do we access read_data's fields? It's in a multidimensional array
Array
(
[read_data6] => Array
(
[var] => Array
(
[0] => Array
(
[CBUser] => Array
(
[firstname] => Spidey
)

)

)

)

)
Tried $this->get("read_data6.var.0.CBUser.firstname") but it doesn't work.
Edit: Nvm, var is not required in that. $this->get("read_data6.0.CBUser.firstname") worked.
GreyHead 63.2
December 05 2018 #382023
Hi webbusteruk,
Please see the third paragraph of the Request Data section in this FAQ
Bob
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much