This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use Stack Overflow.

Form tampering in symfony2

Requests for new symfony features.

Form tampering in symfony2

by kmak » Wed Jun 27, 2012 11:01 am

I have searched and have found nothing of the like.

Validation is good.
But i would like something extra.
I would like to be able, when i create a form, to make a some of my hidden fields to be 'untamperable'

I imagine something like the CSRF token technique, but meant for the hidden fields i want, e.g. something like a digest of the fields values and a secret key known only serverside.

So if a malicious user tampers the form and submits it,
i will immediately know that the hidden fields have been tampered e.g. he tried to set a different owner_id in the form of an car object.

I hate to try and save such temporary values in the session(to prevent tampering), or try and validate this value with more sql queries to the database.

I have noticed that in symfony2 all my forms have the same csrf token, so they propably don't do also tampering checking with it.

I'll be looking forward for an answer.

Again forgive me if something like this exists already but haven't found it.

Thank you in advance.
kmak
Junior Member
 
Posts: 9
Joined: Tue Mar 10, 2009 11:28 am
Location: Greece

Re: Form tampering in symfony2

by kmak » Fri Jul 06, 2012 9:10 am

After some more thinking on the matter, this 'form tampering' feature should be available for all form fields that shouldn't be changeable.
So it should be available for hidden fields and also fields that are readonly. E.g. i could put on my form a text field just for informing the user for a value, but i don't want him to change it.

To further support this feature request, let me say why i consider it helpful.
Lets say you have a wizard like procedure of many steps. I have a form in every step.
In the first step the user selects some values, fills some inputs. He submits the form, it gets validated and then accordingly to his choices he is redirected to another page with the step 2 form(may be different according to choices). There, in the second form, i want to have the hidden values of the first form. I don't want to have to revalidate these hidden values in the second form's submit(just to make sure someone didn't mess with them). So on and so forth in the 3rd step etc.

To sum it up, if such feature comes to be, it should allow the user to make some of his hidden or readonly fields untamperable.

Thank you.
kmak
Junior Member
 
Posts: 9
Joined: Tue Mar 10, 2009 11:28 am
Location: Greece