Forums

Ways to prevent dubious database entries

webbusteruk 01 Dec, 2018
Hi, we've searched the forums but unable to find a relevant thread regarding this.

On our website we have a basic form with pre-filled hidden fields. These fields have the attribute value="anyvalue" and type="hidden" on the frontend form, and when submitted an entry will be saved in the database table with these field values. Eg, one of these hidden fields are the submitting user's userid.

However, it is possible to alter the value of these hidden fields (eg by using "inspect" on Chrome browser) before submitting them - in effect, a user is able to save an entry in the database with a different userid.

What are the ways to prevent such "hacks"? We thought validation might be the way to go (check that submitted data matches the pre-filled data for these fields), but we're unsure how to go about this. Or is there a simpler way of doing this that we're missing?
webbusteruk 01 Dec, 2018
Sorry somehow we are unable to edit the original post.

We know we could just not display the hidden fields in the form and put these data in Save Data under "Data override on Insert", however some of these fields are displayed to the user for them to check (eg First name and Last name) prior to submission (but not to edit).
GreyHead 01 Dec, 2018
Answer
Hi webbusteruk,

If they are not to be displayed then don't include them in the form - you can either save them in the User Session until the form is submitted, or look them up again.

If the data is to be displayed but not editable then show it as text using HTML; or set the inputs to disabled so that they will display but not submit.

As a double check, use a Custom code action on submit to delete any form data that should not be there.

Bob
healyhatman 01 Dec, 2018
1 Likes
In your Save Data action, under Data Provider, have you written "{data:}" ? If so, remove it and leave it blank.
webbusteruk 04 Dec, 2018
@GreyHead - Actually we just figured that out after posting this as well, hadn't thought of using HTML to display variables :doh:

@healyhatman - That's a good idea. Thanks! However, we wanted to save those fields in the database as well to be displayed in another table elsewhere.
webbusteruk 04 Dec, 2018
Btw, is the edit post feature broken? Can't seem to edit previous posts..

Edit: seems to be working now.
healyhatman 04 Dec, 2018
No problem. If you put something in the Data Provider, it will try to add any matching field's data to the query.
webbusteruk 04 Dec, 2018
Sorry, another question.

So currently we have read_data under load tab to display the user details on the form using HTML, and a second read_data under submit tab to retrieve variables to be saved into the database when user submitted the form.

Is that the right way to do it or is there a simpler way? Eg, can the data from load tab's read_data be saved into database without displaying them (as fields) on the form itself ?
healyhatman 04 Dec, 2018
Sure. Better that way otherwise the user could change the fields. But Why are you reading data and saving it to the database again?
webbusteruk 04 Dec, 2018
The read_data under load tab is to display it on the form (but not let the user edit). As it is displayed using HTML, it is not saved in the form when submitted.

The read_data under submit tab is to read the user details (from a different database) and save them into chronoforms form's database. Subsequently the form's database is displayed on a page using CC. We understand the other way to do it would be to load the user details using CC and display it then, but we figured it'll make it easier for us to find a specific entry in the form's database if there are user details attached to it.

On a unrelated question, how does one access a variable using PHP?
$this->get("save_data6.aid");
accesses the saved data's fields;
$this->data('fieldname');
accesses the submitted field data;

but how do we access read_data's fields? It's in a multidimensional array
Array
(
[read_data6] => Array
(
[var] => Array
(
[0] => Array
(
[CBUser] => Array
(
[firstname] => Spidey
)

)

)

)

)
Tried $this->get("read_data6.var.0.CBUser.firstname") but it doesn't work.

Edit: Nvm, var is not required in that. $this->get("read_data6.0.CBUser.firstname") worked.
GreyHead 05 Dec, 2018
Hi webbusteruk,

Please see the third paragraph of the Request Data section in this FAQ

Bob
This topic is locked and no more replies can be posted.