<form> Help

[cdoyle]

Ugh,  Just when I thought I was getting this.
I just found another bad coding on my part.

I'm created a page that allows users to pay for a spy on another player.

The cost is calculated via a query, and they have a confirmation screen to say if they want to proceed.

They have a form that looks like this

Code: [Select]

$cost = $getspy1['level'] * 2000;
            $spyid = $getspy1['id'];
 echo "<form method=\"post\" action=\"spylog.php?act=confirm\">";
            echo "<input type=\"hidden\" name=\"cost\" value=\"$cost\">";
            echo "<input type=\"hidden\" name=\"spyid\" value=\"$spyid\">";
            echo "<input type=\"submit\" name=\"yes\" value=\"Yes, I am sure!\">";
            echo "</form>";

This then goes to the next case in the switch and executes the queries etc.

So that all works great, but I found that if a user views source.  They can copy that code enter the full path to the URL and just put a 0 for the cost and update the spyid for anyone they want and get all the info on any player.

How do I prevent stuff like this from happening?

[Waizujin]

Hidden fields are usually a bad idea. Remove the hidden fields, and don't calculate the cost until after the form is executed and before the queries execute.

[toxin]

Not sure if this would work. I think it will but who know.
Just put an if statement in the code to check if the cost has been changed.

Code: [Select]

<?php
$cost = $getspy1['level'] * 2000;
$spyid = $getspy1['id'];

if($_POST)
{
$confirm_cost = $getspy1['level'] * 2000;
if($cost != $confirm_cost)
{
$error=" Whatever error you like to put."
}
}
 echo "<span> $error</span><form method=\"post\" action=\"spylog.php?act=confirm\">
<input type=\"hidden\" name=\"cost\" value=\"$cost\">
<input type=\"hidden\" name=\"spyid\" value=\"$spyid\"><input type=\"submit\" name=\"yes\" value=\"Yes, I am sure!\"></form>";
?>


[Tribal]

Ive heard you should use

Code: [Select]

if(isset($_POST))
{
    //Stuff
}

due to some configuration setting in the php.ini file that will generate an error if it sees just $_POST

[Zeggy]

Why do you include those values as a hidden form field?

It seems you can calculate those values using PHP, so you don't need to rely on hidden input fields.

[Scion]

I can think of several ways to solve this....

One is to use the session object....store the values in the users session untill they confirm the placement...

Another....just re-calculate the values....in that case you may need to place the original values back on the confirmation page as hiddens (that should be ok though since you dont win anything by manipulating them)

Use Ajax to retrieve just the calculated cost before submitting the whole form...

um...include an estimate calculator in javascript on the page that calculates an estimated cost

use a partial object in the db ie one that wont be used until it has been activated through the use of the confirm button.....that way you could have a confirm later option.....

....ok that should be enough to get you started....

[Tribal]

In my opinion using session would be waste of resources

[cdoyle]

Why do you include those values as a hidden form field?

It seems you can calculate those values using PHP, so you don't need to rely on hidden input fields.

The page I have is for spying on other players, and how I have it setup is when the page first opens it gives you the cost to spy on the player. On this page it has the button, that confirms you want to spy on the player.

I was using this button to pass the enemys->id and cost to the 'confirmed' case.

Here is what I have,  what would be the best way to accomplish what I need to do?  Sessions have been recommended a few times, but not sure how to do it.

[Tribal]

cdoyle, what you need to do is re-calculate the cost after the user has confirmed. Like this:

Code: [Select]

            $cost = $getspy1['level'] * 2000;
            $spyid = $getspy1['id'];
            echo "<strong>SPY:</strong> So you want some information on\n" . $getspy1['username'] . "<br>";
            echo "<strong>SPY:</strong> Well that's going to cost you some cash!<br>";
            echo "<strong>YOU:</strong> How much is this gonna cost<br>";
            echo "<strong>SPY</strong>  For this player it will cost $" . $cost . "<br>";
           
            echo "<strong>SPY</strong>  So you want me to spy on this guy?";

            echo "<form method=\"post\" action=\"spylog.php?act=confirm\">";
            echo "<input type=\"hidden\" name=\"spyid\" value=\"$spyid\">";
            echo "<input type=\"submit\" name=\"yes\" value=\"Yes, I am sure!\">";
            echo "</form>";

Notice how i have removed the hidden input for the cost? Next, you need to get the player "to spy on"s id then times that by 2000 to get the correct price that will need to be paid:

Code: [Select]

$spycost = //get user level * 2000

Any problems let us know

[Zeggy]

Instead of $spycost=stripslashes($_POST['cost']);, use $spycost = $getspy1['level'] * 2000;

The cost isn't something that the user needs to select/change/submit, so you can just calculate that yourself after the form is submitted.

[cdoyle]

OK,
I think I fixed it with this.

Code: [Select]

   $spyid=stripslashes($_POST['spyid']);
       
        $getspyconfirm = $db->execute("SELECT `id`, `username`, `level` FROM `players` where `id`=?", array($spyid));
        $getspyconfirm1 = $getspyconfirm->fetchrow();
        $spycost = $getspyconfirm1['level'] * 2000;
       
        $spyinfo = $db->execute("SELECT `id`, `username`, `level`, `vitality`, `strength`, `agility`, `gold`  FROM `players` where `id`=?", array($spyid));
        $spyinfo1 = $spyinfo->fetchrow();
        $getweapons = $db->execute("SELECT i.item_id, i.player_id, i.status, b.id, b.name, b.type FROM items i
                                    INNER JOIN blueprint_items b on b.id = i.item_ID
                                    where i.player_id=? and i.status=? and b.type=?", array($spyid, 'equipped', 1 or 2));

I removed the hidden field for cost, and just requery it in the confirm case.   So if someone does take the form and tries to alter it,  all they can do is change who to spy on, but the cost still gets deducted.

Does this seem OK?

[Tribal]

Yes it does seem fine to me. If you really wanted to make it so that they couldn't change who to spy on you could add a unique form key that incorperates the person to spys on username, id and a random string. Depends if you want to go that far. To be honest, why would they need to change it when they selected the person originally? Especially now as you are calculating the cost instead of receiving it from a remote resource.

[cdoyle]

Great!
Thank You.

I'm glad that I didn't have to start over on the whole thing