How to prevent Firebug/Inspect Element hacking?

Lord_Yggdrasill

Well I have a script that determines if two species of adoptables can breed or not by checking if they belong to the same category/class. It works out perfectly well until someone brought up an issue with firebug/inspect element hacking. The user can set any values on the script on his/her own will! Because of this, they are able to hack the script to overcome the breeding barrier. I am afraid this problem exists for other scripts/features too on my site. Is there a way to design a PHP script that automatically detects firebug/inspect element usage and redirect the users to a 'Hacking Attempt' if it is used? Please help...

traq

no. (and it's not really "hacking.")

Your visitor can do anything they want with the html/images/etc. that you serve them. It's not a new issue; it has always been possible. It's just the nature of the internet.

if you want to be sure, then you need to validate your user's input before Iacting on it. (This is a good idea anyway.)

Lord_Yggdrasill

umm can you please explain a possible way of validating users input?

awbrowni30

LY,

As an example, review javascript form validation on w3schools.com.

traq

two things:

First, that's javascript - client side validation. It's open to tampering by the user as much as with firebug, etc.
Javascript is great for usability: it makes things more convenient. JS validation warns if they're trying to do something that won't work. But if they're trying to do something "bad," JS is useless to prevent it. That's why I mentioned server-side validation.

Second, w3schools.

You'll need to define the acceptable values and combinations (the exact approach will depend on what values are acceptable and how complex the combinations get), and then check that the user's selections work.

From your OP, it seems you simply have all of the animals categorized. So, your validation might look something like this (oversimplified, of course):

// define categories with acceptable values
$dog_categories = array(
   'small_dogs' => array(
      'terriers'
     ,'chihuahuas'
     ,'toy poodles'
   )
  ,'big_dogs' => array(
      'golden retriever'
     ,'great dane'
     ,'mastiff'
   )
);

// get user input from form
$dog1 = $_POST['dog1'];
$dog2 = $_POST['dog2'];

// #1 SECURITY RULE:
// always assume the user input is wrong!
$same_category = FALSE;

// loop through the categories
foreach($dog_categories as $category){
   // check if _both_ user values are present in the same category
   if(in_array($dog1,$category) && in_array($dog2,$category)){
      // if they are, then the user input is good
      $same_category = TRUE; break;
   }
}
// if the user input was good, continue
if($same_category === TRUE){ print "Good choice."; }
// if not, refuse the user input
else{ print 'quit messing with my form'; }

awbrowni30

traq, my apologies for not thoroughly reading... point taken... i missed that LY mentioned PHP in his initial posting therefore didn't know where LY was actually starting which was the reason for including a short and sweet client-side example. Had I read it properly, I would have known to include a PHP example.

samuelcook

It has been my past experience you that you should always validate client AND server side; Client makes it pretty while Server makes it official

Lord_Yggdrasill

I see, thanks for your reply. Actually the script is much more complicated than that, here is the form submission part:

		if ($num!=0) {
			$article_content .= "<p>Female: <select name='female'>";
			while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
				$article_content .= "<option value='{$row['aid']}'>{$row['name']} ({$row['type']})</option>";
			}
			$article_content .= "</select></p>";
		}
		else {
			$article_content .= "<p>None of your female adoptables can breed at the time.</p>";
		}

	// show all available male adoptables
    $result = runquery("SELECT * FROM {$prefix}owned_adoptables WHERE owner = '{$loggedinname}' AND gender = 'm' AND currentlevel >= {$breedinglevel} AND lastbred <= '{$lastweek}'") ;
    $num = mysql_num_rows($result);
	if ($num!=0) {
		$article_content .= "<p>Male: <select name='male'>";
		while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
			$article_content .= "<option value='{$row['aid']}'>{$row['name']} ({$row['type']})</option>";
		}
		$article_content .= "</select></p>";
	}
	else {
		$article_content .= "<p>None of your male adoptables can breed at the time.</p>";
	}
    $article_content .= "<input type='hidden' name='breed' value='yes'><input type='submit' value='Breed It'></form>";
}

The user input is stored in option tag, and what hackers can do is to use firebug/inspect element to modify the option values stored in it and therefore mess up with the code. Do anyone of you have ideas on how to prevent this from happening?

Lord_Yggdrasill

Oh btw, runquery() is no different from mysql_query with the only difference that it can be used in debug mode. $article_content is the variable used in a template function which displays on the main content block of the page.

dalecosp

You can increase the security of your server-side PHP application significantly using some fairly simple built-in mechanisms. Expecting numeric data? Try [man]is_numeric/man. Text only with no HTML? [man]strip_tags/man is your friend. Going to the RDBMS? For some of them, there are custom escape functions; for example [man]mysql_real_escape_string/man.

It's not trivial to do this, as traq alludes to above; but the tools are there, once you understand what you're protecting yourself from.