Which HTML attribute can not be modified?

1

Using PHP I display a table, in id of each li , I put the id of the record that is in the database. Once they are displayed, I have an option that excludes registration, I do this through AJAX, I get the id of that li , and I send PHP pro delete.

But I realized that if I use Developer Tools, "famous F12", and manually change the ID of li , it will get this new ID that I put. That way the project I'm doing is vulnerable depending on who uses it. I say this because there is a lot that I am using this method. Do you have any attributes that the user can not edit or some other more secure method?

    
asked by anonymous 30.08.2017 / 23:22

2 answers

5

It does not exist, it's not really just HTML, it's anything, every time you depend on a client you're vulnerable, so you should never trust anything that comes from the client, everything may come unexpectedly. Never trust the client !

Imagine that in most of the existing software, mainly web only work by coincidence, because in general nobody moves, it is rare the programmer who validates all data entries and only accepts what is really appropriate.

Non web applications make it difficult to do a little more because it requires a technical knowledge that few have, but for the web, anyone curious can detonate their application.

Think about the difference between whether a person accesses a id from their normal page or Dev Tools? Is there a situation where the person can not access this id ? Ensure on the server that this is not possible. There is no other way.

And make sure the server is not vulnerable. Ensure that the submission can not be compromised, otherwise the server will not be secure.

    
30.08.2017 / 23:29
1

There's no way around it. If the client changes a code that will be sent to the server, it is the server that should validate: check if the value exists, if the received value is valid, if the client that sent it had authorization for that, etc etc ... < p>

But it's always good to pre-validate frontend as well, since it saves requests to the server.

In your example, if the guy swaps id = 10 to id = 12, for example, and in the normal way that does not make a difference, he will only be trading 6 per half-dozen. Now, if he swaps id = 10 for id = 13 and the value "13" is not included in the values this user can tinker with, his backend should know this and prevent the script from proceeding.     

30.08.2017 / 23:50