What Class Prevents Form Tampering

Hi guys,

I have just been testing out the form security with Yii and It’s doing a great job in my opinion.

One of things I’m unable to is form tampering. Which is obviously a good thing, but I want to find out what class prevents form tampering form happening, and also if I change any settings in the application will it then allow users to tamper with my forms. Basically I want to be able to do something, so that I can understand potential weaknesses in the future.

I have the following html form

<form id="user-form" action="/account/update" method="post">

	<div style="display:none"><input type="hidden" value="3535cf92623ecf0294329b5accc02841eec43d38" name="YII_CSRF_TOKEN" /></div>

	<p class="note">Fields with <span class="required">*</span> are required.</p>


	<div id="user-form_es_" class="errorSummary" style="display:none"><p>Please fix the following input errors:</p>

	<ul><li>dummy</li></ul></div>

	

	<div class="row">

		<label for="User_uname" class="required">Username <span class="required">*</span></label>		

		<input size="60" maxlength="100" name="User[uname]" id="User_uname" type="text" value="wadmin" />		

		<div class="errorMessage" id="User_uname_em_" style="display:none"></div>	

	</div>


	<div class="row">

		<label for="User_email" class="required">Email <span class="required">*</span></label>		

		<input size="60" maxlength="255" name="User[email]" id="User_email" type="text" value="test@test.com.au" />		

		<div class="errorMessage" id="User_email_em_" style="display:none"></div>	

	</div>


	<div class="row">

		<label for="User_fname" class="required">First Name <span class="required">*</span></label>		

		<input size="60" maxlength="155" name="User[fname]" id="User_fname" type="text" value="Test First Name" />		

		<div class="errorMessage" id="User_fname_em_" style="display:none"></div>	

	</div>


	<div class="row">

		<label for="User_lname" class="required">Last Name <span class="required">*</span></label>		

		<input size="60" maxlength="155" name="User[lname]" id="User_lname" type="text" value="Test Last Name" />		

		<div class="errorMessage" id="User_lname_em_" style="display:none"></div>	

	</div>


	<div class="row buttons">

		<input type="submit" name="yt0" value="Save" />	</div>


</form>

I also have a database field called "test", which is naturally one of the attributes of the User model.

If I use firebug to alter the name of the form field User[lname] to User[test], and in the function actionUpdate I have

$model->attributes=$_POST["User"];

$model->save();

This will still not overwrite the test value in the database for this user.

On the other hand if i change the name of the form field User[lname] to User[fname] and User[fname] to User[lname and submit the form as is, the values of fname and lname will swap in the database.

I can only assume there is some sort of validator which things goes and checks what fields were submitted to the form and won’t update any fields not submitted to the form?

Hello Mr Mojo Risin, welcome to Yii Forum.

After checking your user-form code, i assume that in your User model you only have defined rules for the fields, uname, email, fname, lname. So, these are the fields that going to be used on massive assignment. I dont know if you already read how the model rules and the massive assignment works, but if not i would suggest you to read these subjects.

Well, when you try to change the value of the field User[test] from User[lname] field, through tampering technique, nothing happens, because as i said before, you have no model rules for this field, so when your application does the massive assignment

...

$model->attributes=$_POST["User"];

...

if there is no rule for the field User[test] nothing will be assignment. That’s why the model rules are so important.

The second situation works, because you have rules defined for these fields, so the tampering is ‘allowed’ in this case.