Is This Safe?

[Distortion]

I check in a database if people are allowed to perform an action. If this is positive a form button appears, if not it does not appear.Is this safe or can people simply simulate the form action. I know this is possible when I use GET but now I use POST.It isn't about bank accounts but it shouldn't be too simple to abuse this system either.

[jeffman]

Not safe. I can save your page to my hard drive and add my own data. Load it up, and send it to your script. Some browsers even let me edit the page live. With a command-line terminal, I can send an HTTP request to your server without ever looking at your page.If you want the effect of logging in, start using sessions. It's easy. Your login script has code somewhere that looks like this:

if ($validated){	session_start();	$_SESSION['userlevel1'] = 'OK';}

Then every user page does something like this (greatly oversimplified):

session_start();if (isset($_SESSION['userlevel1']) ) {	// do something} else {	// do something else}

Your server and the client browser handle the rest. If you were a bank, you'd use a secure socket as well, but this is all the security that most secure sites have, and it is EASY. And by varying different keys in the $_SESSION array, you can track different levels of privilege, from admin to loser and everything in between.Let me clarify: When you call session_start, the $_SESSION array is created and populated automatically. If session_start is not called for a particular client after so many minutes, the session data expires. I chose 'userlevel1' as an array index for the sake of the example. It's not built in. You choose your own indexes, ideally words meaningful to your app. There is no limit to the amount or kind of data you can pack into the $_SESSION array.

[Distortion]

I must be very bad at explaining my problem, or I don't get your point...I knew about the session data, and I use it allready (btw i thought it could go wrong if you had something before session-start). But the privelidges are not set on login, they depend on how many 'points' you've earned, this can change all the time so I don't use the SESSION data for it. The moment you open the form it depends on the amount of points which things you can do. E.g. members with a lot of points can put a tag in front of their name. If you do not have enough points you don't see the part of the form where you can change your tag, but you said you can still send the information without seeing the corresponding part of the form? Do you mean I have to prevent this by temporarily writing the amout of points retrieved from the database to the SESSION data, and then comparing it to the database again on handling the form?

[jeffman]

The short answer to the question is, yes. Any user can post any data they want. You could check your $_SERVER array to make sure the user is posting from your page, but that can be spoofed. It's up to the browser to send that part of the data. All the famous browsers do things the "correct" way. But with pretty basic software, any hack can send HTTP data from a plain text window, and your server won't know the difference.It sounds like you're doing a game or something, so the world won't crumble if someone hacks your system. But if letting someone do it would spoil the fun, you might as well prevent it.I assume the points change every time someone loads or refreshes a page? Are you updating the points to your database every time? It's not like you're going to break anything by overusing it.You're already checking the database to see if you should give your user the button. So use the same technique when the form gets posted back. Don't rely on the button to validate the user's permissions. Just check the database on both ends.Am I still missing something?

[Distortion]

The short answer to the question is, yes. Any user can post any data they want. You could check your $_SERVER array to make sure the user is posting from your page, but that can be spoofed. It's up to the browser to send that part of the data. All the famous browsers do things the "correct" way. But with pretty basic software, any hack can send HTTP data from a plain text window, and your server won't know the difference.It sounds like you're doing a game or something, so the world won't crumble if someone hacks your system. But if letting someone do it would spoil the fun, you might as well prevent it.I assume the points change every time someone loads or refreshes a page? Are you updating the points to your database every time? It's not like you're going to break anything by overusing it.

Yes it is a game, you buy the points for more privelidges, so the points change only when the user buys them which can be anytime during the game.

You're already checking the database to see if you should give your user the button. So use the same technique when the form gets posted back. Don't rely on the button to validate the user's permissions. Just check the database on both ends.Am I still missing something?

Nothing I can think of, thanks for your clear explanation!