Pass important values server-side when processing form

To be honest I think this question is off topic, because its topic is so a general concept that can apply to any language capable to handle web development. So is even broader than a general PHP question.

By the way, what I want to suggest is too much for a comment.

When you need to check data coming from trusted users (assuming you already have a way to check if an user is trusted) is to put in place a system for data integrity check.

A simple example. Assuming you have a form like:

<?php $data = get_my_form_data(); ?>
<form method="post">
    <input type="hidden" name="postid" value="<?= $data['postid'] ?>">
    <input type="text" name="vote" value="<?= $data['vote'] ?>">
    <input type="text" name="username" value="<?= $data['username'] ?>">
<form>

The function that retrieves data is just as a placeholder to make clear data comes from server and then is used to fill form values.

Now let’s see how data integrity can be put in place. It is usually done with an a two-way (reversible) encryption.

<?php
function obfuscate_postid($id) {
  return wp_create_nonce('pre-md5').md5($id.AUTH_SALT).wp_create_nonce('post-md5');
}

$data = get_my_form_data();    
$check = obfuscate_postid($data['postid']);
?>
<form method="post">
    <input type="hidden" name="postid" value="<?= $data['postid'] ?>">
    <input type="text" name="vote" value="<?= $data['vote'] ?>">
    <input type="text" name="username" value="<?= $data['username'] ?>">
    <input type="hidden" name="__ch" value="<?= $check ?>">
<form>

This way in the server-side processing you can check that

$valid = obfuscate_postid($_POST['postid']) === $_POST['__ch'];

If an user change the post id in the form without changing the check string, $valid above is false and you can stop processing the data.

I’ve used a pretty simple 2 way obfuscation, and thanks to fact that nonces are not fixed in time, this is a pretty strong way to secure your data.

I also used nonces to make the answer a bit more WordPress related 😉

It would be a very strong system if nonces would be usable only once, but it is a post voting system, not an online-banking application. And if you want you can also change nonces TTL.

Finally, note how I used a salt to make md5 more secure, because even if md5 is not reversible, result of md5 for sole integers can be easily found (e.g. try this using the string b706835de79a2b4e80506f582af3676a).

Related Posts:

  1. How to stop form resubmission on page refresh
  2. How to correctly submit a search form and display the result in an independent page
  3. add_filter the_content str_replace after shortcode
  4. Metabox repeating fields – radio buttons not saving correctly
  5. How to exclude pages from the search results
  6. How to handle a custom form in wordpress to submit to another page?
  7. Creating a WordPress form with a PHP script and default header
  8. Submitting form via admin-post.php and handling errors
  9. Custom WordPress+PHP+MYSQL+AJAX form, submit event not captured by Javascript, but does POST data to the DB
  10. Passing POST data from one WP post to another
  11. Getting the dropdown menu to redirect to different pages?
  12. Processing a subscription form with POST method?
  13. How to group 2 radio buttons in a widget?
  14. How to create and work with custom data / tables (i.e., for arbitrary data)?
  15. Using Multiple Submit buttons to trigger customised php functions
  16. Get Admin Email Address From External PHP page
  17. Adding Custom Forms
  18. How do I let users upload files to a chosen location?
  19. How to create a form and display its content as table in admin panel?
  20. How can I reuse the code to capture a param in a URL and place in a value in a hidden form?
  21. How to limit the number of forgot password reset attempts in WordPress?
  22. Modify HTML structure of fields in woocommerce checkout form
  23. Ajax call return 404
  24. How to pre populate a form field with a link of a current user’s author profile?
  25. How to get the value of input hidden html from text editor to custom page template?
  26. Show success or error messages in Ajax response to WordPress custom registration form
  27. Styling my own password protected page, how to deal with wrong password?
  28. wp_mail file attachment not being placed in upload folder?
  29. Login to wordpress by clicking a link and specifying usernaname and password in url
  30. Form Security: nonce vs. jQuery
  31. Trying do build a contact form
  32. How to execute html code inside php?
  33. Can a page contain php code?
  34. What is the alternative code to if (isset ($_POST) && !empty ($_POST) to avoid warnings?
  35. How to display success message correctly and delete it when the page is refreshed
  36. Using admin-post.php for admin form but it directs me to admin-post.php white screen
  37. How to add post meta in while loop?
  38. How to set cookies
  39. PHP Contact form
  40. Get wp_current_user_id using PHP and MySQL
  41. Adding Additional Variables on Menus Page
  42. form built dynamically with php, not submitting
  43. PHP- Why is my contact form keep showing it is invalid? [closed]
  44. Simple php in wordpress widget [closed]
  45. Search only working on front page (index) , not working on other pages
  46. form $_post action value gets truncated after it passes through two forms
  47. Adding data to custom wordpress database table
  48. Make a page (url) not cacheable [closed]
  49. Display multi-select box choices in a bullet list [closed]
  50. What should I write in the post action of this front end post form?
  51. Custom forms with HTML
  52. Contact form – problem with displaying message about sent mail
  53. Using Ajax to submit a form, and run a SQL Select query based on user input from the form
  54. WordPress Custom Form – Getting Query Vars, Weird Glitch?
  55. $_POST returning empty values
  56. Trying to update Woocommerce meta values
  57. How to send custom form submissions to WordPress Database?
  58. Custom PHP form needs refresh to load page correctly
  59. Form from within a page
  60. I want to retrieve the email or username data entered for password reset, but failed. how can I do it?
  61. How to change this ajax function to submit to the default wordpress content area instead of the custom field ‘seller notes’?
  62. Confuse between forms and tables
  63. wordpress contact form messages not sending although it saying they were sent successfully with this php code
  64. Using a PHP form, get the page title or any other element in the sent e-mail
  65. form submission reverts to index.php template
  66. custom search query database in child theme
  67. Creating a WordPress addon for ContactForm7 submission (.XML file export)
  68. Using transients to store form notifications
  69. Insert data from form to database
  70. not able to access $_POST on backend profile update
  71. Custom Plugin Develoment, Form Action
  72. wordpress form action page not found
  73. Adding action item to admin users table and sending email
  74. Trouble with checked() for array of multiple checkboxes
  75. Custom HTML form using PHP – help with ajax/username validation
  76. Form direction to .php on localhost
  77. Form not working as it should in WordPress, but in a normal HTML site it does
  78. Ajax call URL 404’ing when pushed to staging server
  79. Update only some custom user fields
  80. Passed variable gets undefined variable error on insert on next page
  81. How to set up an auto delete post?
  82. Dynamic form variables for post meta
  83. Trying to display user meta by “name” – not by “ID”
  84. Headers for Contact Form are wrong
  85. Display default WordPress login/registration form into a modal window
  86. Trouble using wordpress functions in a pop-up modal form
  87. custom contact form no longer working (because of 3.2?)
  88. Correct Syntax for uploading files to custom directory in WordPress
  89. ajax form function error
  90. HOW TO Insert Existing PHP Code to WOrdPress
  91. Send foreach $_post method to contact form 7 [closed]
  92. php inside HTML via shortcode? [closed]
  93. Where to put include php file?
  94. Use HTML Form Data in PHP Function – WordPress Admin Page
  95. Contact form with dynamic dropdown and filter
  96. Redirect loop upon installation of my plugin
  97. Field validation strlen works in php7.4 fails 8.1 [closed]
  98. Embed PHP script into WP – what is the best way
  99. Preventing script injections in HTML form
  100. Can’t insert into a database wordpress