Checking whether an ID was changed on client side before database update

Question

Considering the below example: HTML Page :

<input type="text" name="update_12" />

An input box with name as "update_12" and new text as : "Some another data" is sent via form to the serverside PHP script (say process.php)

Database format:

=====================
message_ID  Message
=====================
12         Some data
13         Another data

If PHP script does an explode on the input name as:

foreach ($_POST as $key => $value) {
    if(strstr($key, "update_")){
        $required_id = explode('_',$key)[1];
        $query = "UPDATE <db_name> SET `Message`='".$_POST[$key]."' WHERE `message_id`='".$required_id."'";
    }
}

This updates the DB with the new message for message_ID : 12

I am new to PHP and exploring basic data storage, update, retrieval and deletions in MySQL.

Since the client can change the name of the input field :"name" and send another value to update. For example: If a client opens up firebug and changes the "name" field of input box to "update_13", his operation is going to overwrite Message of another user.

I tried researching for this by trying out a status deletion in facebook. From primary observation of the POST data for deletion I could see some important parameters being sent for deletion as :

impression_id=456ab622
profile_id=100005552221116
__user=100005552221116
story_fbid=540912345678911

For a post deletion, the associated ID looks like : story_fbid. When i changed this to may be : 540912345678912 (last digit changed) And clicked on delete, fb takes a while and responds with an error message saying : This operation cannot be done. This error message appears after the POST request to delete has been sent (with modified story_fbid). The response for the POST request contains the error message which is shown in a modal window.

I can think of a way wherein the ID and its hash (MD5/SHA1/SHA2) are stored in DB and upon receipt of id, get a hash of it and if it matches any, update that row in DB. However there are chances that (in our case) hash of 13 might match any other row and hence perform an update operation.

Can you suggest any other secure ways in which we can validate that client has not changed the values?

Answer for the question asked here is exactly what I am looking for. However there are no proper solutions/methods in that discussion.

Answer 1

You can create a unique generated ID(ID1) using your own function or the built in php function uniqid(). Start the user session and store ID1 as well as the message ID(ID2) in session as below.

session_start();
$ID1 = uniqid();
// store session data
$_SESSION['ID1']=$ID1;
$_SESSION['ID2']=$ID2;

let say the generated ID is "145f214". The input in your form will be as below

<input type="text" name="update_145f214 />

When the form is submitted, You just get ID1 in the input element and check:

1. if ID1 in the session has the same value
2. if yes, use the value of ID2 stored in the session for your sql query
3. if not, display an error message to the user

this is a very basic solution but from there you will certainly improve.

if you have a lot of fields and you use pairs of data then you will need to save those pairs and the other in your session.

let say you have 10 fields with data as follow: [12a:1][12b:2][12c:3]

you can save the order of the fields and the corresponding data into sessions variables.

$_SESSION['field1'] = [12a:1];

$_SESSION['field2'] = [12ba:2];

may be also this

$_SESSION['fieldCount'] = 10;

to make sure you know how many fields you have generated

from there you can first check if the number of fields submitted is the same as the ones you generated. Then you check that all the fields has the pair you assigned to it by comparing with data in session variables (this will also help to check whether the order has been changed).

I came back to this because I had a similar case and implemented the above solution.

I can give you more details if you want