This is more of a conceptual question because the way that I am doing it would b
ID: 652397 • Letter: T
Question
This is more of a conceptual question because the way that I am doing it would be secure enough for my purposes (educational). I created a simple admin panel that displays a stock picks database as inputs:
{% for pick in picks %}
<tr data-post-id="{{i.id}}">
<td class="symbol"><input type="text" value="{{pick.symbol}}"></td>
<td class="buy_date"><input type="text" value="{{pick.buy_datetime}}"></td>
<td class="buy_price"><input type="text" value="{{pick.buy_price}}"></td>
<td class="sell_price"><input type="text" value="{{pick.sell_price}}"></td>
<td class="quantity"><input type="text" value="{{pick.buy_quantity}}"></td>
<td class="current_price"><input type="text" value="{{pick.current_price}}" disabled></td>
<td class="save"><button>save</button></td>
</tr>
{%endfor%}
In the panel, you can edit the individual row and save it to the database through an ajax request based on the data-post-id. Then it dawned on me, if a malicious user was able to bypass the login system, could they edit any row in the table by changing the data-post-id in their browser? If so, what else can I do to limit what can be edited and make sure that only what is intended to be edited is edited?
Explanation / Answer
For casual protection, you can hash some identification fields (including the ID) and include the hash in the page. When the page is posted, you hash the fields again, and compare them with the hash stored in the page. Make sure it's a salted hash so that it's difficult for the attacker to recreate the hash algorithm and make their own fake hash.
For better protection, encrypt the ID before rendering it in the page, and decrypt it when the page is POSTed.
Further Reading
Prevent form tampering of hidden fields in Django
MVC Security Extensions
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.