0

I am currently developing a web application in Laravel PHP framework to handle all the data input using HTML form.

Creating new entry in database is not an issue as it uses POST method, which the ID is hidden from the user, and there is validation on the server side.

However, when it comes to updating or modifying the entry in the database row, I am using the PATCH method to send the data to the URI /form/{ID}, for example /form1/1. I performed data and user validation at server side to prevent unwanted input from user. However, sometime some user with HTML knowledge can simply modify the URI of the form from /form1/1 to /form1/2 to PATCH the data to ID=2 instead of ID=1 which is counted as unwanted bypass.

Is there any way to prevent this from happening as this possess a potential security risk.

Woody
  • 612
  • 9
  • 21
  • 4
    You would prevent this by simply checking that the owner of the data is the user that that subject data belongs to. if so the edit will take place, else redirect. – Matt Burrow Mar 21 '16 at 15:18
  • other than validating the ownership of the data, is there any other validation I need to perform to further prevent the mentioned problem? – Woody Mar 21 '16 at 15:24
  • 1
    The title is completely misleading, it implies there's a vulnerability related to `PATCH` method. The vulnerability exists because you haven't implemented a check. If you do what @MattBurrow mentioned, then you're fine. To make this process trivial, you can utilize Laravel's middleware, which executes a route callback if a check succeeds. – Mjh Mar 21 '16 at 15:34
  • Thank you and sorry for the misleading title. – Woody Mar 21 '16 at 15:48

1 Answers1

1

You need to implement Authorization. Take a look at the official documentation for more details https://laravel.com/docs/master/authorization

Panagiotis Koursaris
  • 3,794
  • 4
  • 23
  • 46