Prevent URL hacking by adding a Secret field

Labels

This Discussion is public

Notifications

Make your form update-able in the front end

You need to update the form's Settings to make your form update-able by "logged-in users" in the front end.

Add a Secret Field to your form

Create a field in the form called Secret and in the Dynamic Values section check "Calculate the default value for this field" and paste in this code. It will generate a random 10 digit number.Math.random() * (1e10-1- 1e9) + 1e9;https://stackoverflow.com/questions/1527803/generating-random-whole-numbers-in-javascript-in-a-specific-range.

Create the update-entry page

This page will be secured using a view. We will call it /update-entry/. Leave the page contents blank for now.

Create a view or email targeting the update-entry page

You now now need to create a view or email which has a link of the form.

/update-entry/?action=edit&entry=[id]&secret=[x]

where id is the entry_id of the record (entry) you want to edit and the secret is the secret you added to the record when it was created.

Create a view to check the URL parameters

Choose an "all entries" type of view. In the Content area put the shortcode for the form to be edited. In the filter area filter

Entry Id "equal to" [get param=entry default=0] and
secret "equal to" [get param=secret default=0]

It is a feature/bug of Formidable that any value is equal to NULL. Therefore we need to set the default of the param Secret to zero if it has been removed by the user.

Add this view to the update page

You now add this view to the page /update-entry.

How it works

When a user clicks your secure link they are taken to the update-entry page. This then loads the view. The tries to select all the entries in the form but only the one that matches the entry_id and secret is returned. When this match happens the view renders the form because you put its shortcode in the content area. The form is editable because of the edit action in the URL.

Awesome. Thank you for sharing. I think the last step missing filter for the secret (matching secret field with the secret value in the URL.

Yes. Thanks for reporting this issue.  The forum is broken (for me at least) and it has trashed my post and won't let me edit it. I have raised a ticket for it.

Yes, in my case it is the formatting issues. I never got the formatting correct. Also sometimes if I made a change, it never updates the post.

Hi --

The default param is documented, though it sounds like it would be helpful for us to add it more places, since James didn't see it where he expected to see it.

https://formidableforms.com/knowledgebase/using-dynamic-default-values-in-fields/#kb-get-a-parameter-from-the-url

Step 6 here:

https://formidableforms.com/knowledgebase/create-a-view/#kb-show-entry-after-form-submission

https://formidableforms.com/knowledgebase/shortcodes/#kb-default-values

https://formidableforms.com/knowledgebase/filtering-entries/#kb-by-parameter

This is an edit.

A test link: https://formidableforms.com/knowledgebase/frm_filtered_lookup_options/

  • 1
  • 2
  • 3

9/19/2018 first edit of the night

second edit of the night

Hi Everyone, I have a question about this. I'm trying to set up my site so that user's can't try to get to some other user's edit page simply by changing the entry ID in the URL. I've got a random string populating in the form, and I've followed the instructions here, but I'm still finding if I enter the 'out of box' formidable URL like below, it will still take me to edit the entry. I'd like to enforce the secret as part of the url, and not allow it to go anywhere without i.

https://mysite.com/myform/?frm_action=edit&entry=396

I will switch to using Entry key instead, but still would like to know where I'm going wrong if you can help.

I might be making an error on the filters in the view that links to the page to edit the entries. I've attached a screenshot of the view's filters. For the Secret filer, 1448 is the field ID of the field that contains the secret string.

Thanks!

B.

 


Attachment:

Hi bizarrb,
The issue is in your filter. The filter should compare the secret value in the entry with the value in the URL.

If your URL is something like this,
https://mysite.com/myform/?frm_action=edit&entry=396&secret=xxxxxxxxxxxx

Then modify filter for "Secret" field to [get param=secret default=0] similar to how you did the Entry ID.

Hi Sujeevan, thanks for replying, I really appreciate it...I'm still having trouble. :( I might be looking for something outside the scope of this post, but not sure. I've got the view and all set up. My view was set up to produce results from a search. When I add those filters, no results come up in the search anymore, which makes sense, but not what I want.

What I'm looking to achieve is to prevent a URL that is like this from working to show an entry: https://mysite.com/myform/?frm_action=edit&entry=396

and force that entries can only be viewed by using a link this, whether they got to it from a view, or enter it directly into their browser: https://mysite.com/myform/?frm_action=edit&entry=396&secret=xxxxxxxxxxxx

I think I'm confused on how the view filters can enforce it. I hope this makes sense.

Or, Maybe I'm going about it all wrong. In the end, I want:

1) Users with role Editor to only be able to view/edit the entries they created.
2) Allow Administrators to view/edit all entries from the front end.
3) If a user tries to modify the URL to one that would lead to an entry created by someone else, stop them in their tracks.

B.

Dear bizarrb,

I have update my instructions above. They are now much more complete and should help you achieve your goal.

James

Hi jamesbayley, Thank you!! I will give this a shot today. Thanks so much for taking the time on this. :)

Hi jamesbayley - It works! :) I can't thank you enough for this tip. :)

Hi James, Just one more thing. I noticed that a link the 'out of box' link (Like below) still works if I use it. When going to an entry from the views I set up under the guidance here, it works great, but if I use a URL that goes to the page the form is published where users go to initially fill it out, it will still let me view any entry.

Like this:

https://mysite.com/myform/?frm_action=edit&entry=413

Is there any way around this?

Well spotted. I had missed that myself. That is why URL security should be baked into the forms framework not created ad-hoc by developers. Laura to her credit points out (private case) that Formidable does not claim to offer entry-level permissions.

However we can can secure the original form by replacing the Form Shortcode with a View containing the Form Shortcode. This new View LockDownMyFormAgainstEditing_View will have an if statement (psuedocode).

if(url.frm_action !="edit"){

print(form shortcode)

}

else{

print("Do not hack my URLs")

}

Reply to this Discussion