SimpleClix Studio

As the demand for web application is increasing, a lot of web applications are getting more complicated.? So it is time to split the task into multiple tasks, so it will greatly increase the usability.

However, with the security in mind, how can we avoid people using javascript or url injection to avoid skipping steps?

Today, I am going to share my experience with you.

The most simple way to keep track of what step the user is on is to use a hidden field locally, such as:

<input type=’hidden’ name=’current_step’ value=’1′/> <!– the user is on step one–>

However, the above method has a big security issue.? User can use javascript to change the hidden feild to other numbers to skip the current step.

Let’s move the keep tracking variable to the server, and don’t use any local hidden field.

So, we can use a session variable to keep track of the steps:

$_SESSION['step'] = 1;

With the above method, the user cannot change the session variable.? However, there is still a problem.? If the user click the back button to go back to the previous steps, and change the previous validated information, and then continue with the current step.

So, what is the best way to achieve the goal securely?

Let’s try to combine both local and server to keep tracking of the steps.

so let’s create a session variable on the server side, such as $_SESSION['step'], and create a hidden field such as <input type=’hidden’ name=’step’ value=’1′/>

Sample code:

$cur_step = 1;

$post_cur_step = ($_POST['cur_step'] == “”)? 1:(int)$_POST['cur_step'];

/*step logic*/
if(!isset($_SESSION['step']) || $post_cur_step < 1) $cur_step = $_SESSION['step'] = 1;
else if($post_cur_step >= $_SESSION['step']) $cur_step = $_SESSION['step'];
else if($post_cur_step < $_SESSION['step']) $cur_step = $_SESSION['step'] = $post_cur_step;

Let’s explain the code above.

First we get the step data from the local form from POST variable.

And then we create the session variable ’step’ and set it to 1 or the first step.

1. In case, the user try to modify the hidden field to skip the step, the logic can force the user going back to the current step.

2. In case, the user clicks the back button to go back to the previous steps, then the logic above can detect it, and set the $_SESSION['step'] to the previous step.

Now we fix the skipping step problems, but how can we have some control of the steps on the server side, such as when there is any errors detected during the session, and have to force the user going back to previous steps.? So, how can we control it?

It is actually easy, we can change the $_SESSION['step'] to point to any previous step number, then the logic will force the user going back to the previous step.

This is just one of the many methods, if you find any problems or have a better solution, please post it here, and share with others.

Joomla is one of the most popular content management systems (CMS) today. It is fully featured with a lot of plugins and enhancements. Its setup is so easy with just a few clicks. Because of its popularity, its getting quite a bit of attention from hackers. If your Joomla site is getting hacked, fixed, and getting hacked again the next day, then you may have forgotten the last step of installing Joomla.

Htaccess.txt

When you upload the Joomla files to your web server, there should be a htaccess.txt file included in the root directory. If you open up this file in a text editor, you should see that it contains some rewrite rules to block out some common exploits. However, leaving the file as htaccess.txt won’t put it in effect. To put it in effect, you should rename the file to “.htaccess” without the quotes. Note that there is a period at the beginning of the filename. This indicates that the file is a hidden file. You should also make sure that the file is read only.

After you have completed the last step of the Joomla installation, your website should be more secure and less likely to be a target to the hackers.