Data security holes when using HTML text input element

Wrote by: hoangnguyen     Create date: 11/04/2016     794 views

Sometime, a website has some information that web admin doesn't allow user directly enter. Instead, those informations should only input by web master.

 

For example: Personal informations of an employee has a field "no_of_dependants", that only input by web master.

 

In this situation, developer disable enter text ability of html text input by using "disabled" attribute.

 

But, if you are a hacker or even if a web developer, just some simple operations, the data of  field "no_of_dependants" can be changed by using "Inspect Element" of web browser to enable html input text or change value of input text's "value" attribute.

 

As you can see on above picture, we just need delete the "disabled" attribute of html input or change "value" attribute to any value, so data will be change after submit to server.

 

Solutions:

 

To completely disbale input text ability of text element, we can use some javascript code to prevent text input, such as bellow snippet:

$(document).ready(function() {
  $(".integer").keydown(function(event){
   event.preventDefault();
  });
});

 

By this way, you can prevent hackers/developers to input data even if they delete "disabled" attribute of html text input element.

 

But, hackers/developers still can change data by changing value of "value" attribute. So, the completely way prevent this problem is using html <lable> or <span> element instead. they just show and cannot be input or changed data.

 

The best way to overcome this problem is to validate datas on client before you submit + handle data on server side.

Nguyễn Ngọc Hoàng - Software Engineer
Ngoc Hoang Nguyen

If we cannot do anything, due to we haven't yet acquainted with it.

Go on will also reach to destination.

Follow me

Please wait