How To Prevent Form Tampering

ganeshbora · April 26, 2013, 10:40am

For Yii delete and update operations how do we validate that the contents of the form request came from the current site and not somewhere else.

fabriziocaldarelli · April 26, 2013, 10:49am

Maybe from referer or inserting check code to verify source.

ganeshbora · April 26, 2013, 11:23am

referer will not be secure that much because if attacker use the server request itself by modifing the grid data using firebug.

abilitynet · April 26, 2013, 11:29am

How about using CSRF-Validation? And only using POST for update and delete operations.

softark · April 26, 2013, 11:32am

Hi Ganesh Bora,

Yii has a built-in CSRF prevention mechanism.

http://www.yiiframework.com/doc/guide/1.1/en/topics.security#cross-site-request-forgery-prevention

johnsnails · April 26, 2013, 11:46am

[size=2]

beat me too it. Was just reading about this in Larry Ullman’s Yii Book.

johnsnails · April 26, 2013, 11:49am

Spot on, and whilst should be a given about POST for update and delete operations, i had an interview recently where they asked me about POST/GET and I failed to mention this face palm I did get the job but couldn’t believe I didn’t know what they were getting at when they asked about it.

bettor · April 26, 2013, 12:09pm

If the best practice dictates that only POST should be used for delete then why is Yii crud using GET for deleting a record?

fabriziocaldarelli · April 26, 2013, 12:29pm

In this particular and specific case, you could use two extra field, f1 and f2,

where f2 = function(f1) and then server side you check that f2 is exactly

function(f1), know algorithm of function.

softark · April 26, 2013, 12:36pm

Gii is using POST for delete action. Check the “actionDelete” method of a CRUD controller.

It’s true that the delete button of CGridView is a link to the delete action, but it will fail if you have disabled javascript, because yii.gridview.js is handling the click of a delete link to fire an ajax request using POST method.

abilitynet · April 26, 2013, 12:41pm

If you create a new model using gii, Yii creates the following delete function which only allows deletes using POST:




/**

* Deletes a particular model.

* If deletion is successful, the browser will be redirected to the 'admin' page.

* @param integer $id the ID of the model to be deleted

*/

public function actionDelete($id)

{

    if(Yii::app()->request->isPostRequest)

    {

        // we only allow deletion via POST request

        $this->loadModel($id)->delete();


        // if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser

        if(!isset($_GET['ajax']))

            $this->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin'));

    }

    else

        throw new CHttpException(400,'Invalid request. Please do not repeat this request again.');

}

bettor · April 26, 2013, 1:21pm

Yep I stand corrected. Thanks!