Could a Malicious Hacker Alter a Hidden Post Variable?

Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all.

Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all. Web security rule #1: Never trust any user input.

Also stated as "All users are malicious hackers" or some variant thereof. Answer to comment: The solution is to know all of the correct values on the server side, without having to pass them through the client side (Javascript). So regardless of what the form says, you already know the price.

Just use the same value you used to populate the form in the first place.

– Roger Lindsjö Nov 29 at 15:38 9 Ideally, you wouldn't be taking amount as any kind of input. You would take a list of items, and you would calculate the amount in your php script.At the store, you would very rarely see clients fill their shopping carts, and then tell the cashier how much they have to pay. – Frank Nov 29 at 15:42 5 +1 for that web security rule.

Never (completely) trust any input that came from the client, ever. This potentially includes encrypted cookies. All input must be completely checked and validated, every time it is recieved.

Never store anything other than some sort of id/session token client side (which must still be validated). Note that some 'malicious' users may not be doing it deliberately, if their computer is part of a botnet. – X-Zero Nov 29 at 17:05.

Yes, it is very simple to do with browser inspector tools and JavaScript...

Yes, it is possible to change that value using javascript. If you haven't practice in using javascript, you can also do the test using Google Chrome's Developer Tools. Infact this is one of the main reason to don't rely on user input.

Forget javascript and browser tools. Please realize that I can send ANY cookie, POST and GET argument (key and value pairs) I want, regardless of whether this is a form for them. (See cURL) Frank said "At the store, you would very rarely see clients fill their shopping carts, and then tell the cashier how much they have to pay."

Try to think of it like that. The browser (not user) is the client and the server is the cashier. Any information that flows from the browser to the server can be anything I want.

1 Err, the OP is sending over the items price.. not an item number. I think storing the cart on the client side is fine. – user606723 Dec 2 at 21:57.

Yes. It gets worse because they don't even have to alter your page to do it. A user could use any text editor to construct an html page with a form full of text boxes, load it from local disk, fill them with whatever they want and hit submit.

OTOH, that will show up in some header values. Or if they are really determined, that can connect to port 80 on your server via telnet and forge the entire HTTP request including headers. There is not a single byte of the incoming request that you can trust.

That said, there are known solutions to these problems that are generally implemented in terms of hashes, signatures and cryptography, but I don't know enough to suggest where to look for them.

In this case let them change the value if they want to, and let them pay you the $0.01. But then, when you get the Paypal IPN (Instant Payment Notification) it will include the price they paid; check that against your item database to make sure that it's the correct price. If it's not the correct price, do not send/give the item.

You earned $0.01!

Haha. Would that be legal? Taking the law into your own hands?

– Ian Warburton Nov 29 at 20:55 @Ian: What do you mean would that be legal? If I say that I sell pens for $10, and you mail me $1, do you really think I'm legally obliged to mail you a pen even if you paid less? – Andreas Bonini Nov 29 at 21:30 2 Dude; that would be theft.

But if the OP is selling a download he should just send the % of the bytes for which the user has paid for :) – iHaveacomputer Nov 29 at 23:35 5 Best case: You earn $0.01 and pay out a few $k in lawyers fees. – BCS 1 Nov1 at 2:15 2 This post seems to have some merit en.wikipedia. Org/wiki/Instant_payment_notification.

There is a verification step in there, if the numbers don't add up then you would need to reject the transaction or something ... not keep the money. – row1 Nov 30 at 10:35.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.