John Davidson

Message:

I would like to know what can and what can not be changed by user related to Web Development.
Mainly if users can change variables in $_SESSION.
But it would be nice to know if some techniques that seem secure are actually not.
Another example would be user changing code in JS Classes etc.

I am sorry if this question seems too trivial to someone. Studied Web Development for 2 years and would like to learn something new.

Here is a example of code where I am not sure if user can change his $_SESSION['group']

    public function login() {

          if(isset($_POST['login_submit'])) {

              if(isset($_POST['username']) and isset($_POST['password'])) {

                // Fetching user data

                  $stmt = $this->conn->prepare('SELECT Password FROM TB_Users WHERE Username = ?');

                  $stmt->execute([$_POST['username']]);

                  $user = $stmt->fetch();

                //-----------------------

                // Password Verification 

                  if(password_verify($_POST['password'], $user['Password'])) {

                //-----------------------

                // Fetching Group of user so it can be used later to fetch Permissions

                    $stmt = $this->conn->prepare('SELECT TB_userGroups_ID FROM TB_Users WHERE Username = ?');

                    $stmt->execute([$_POST['username']]);

                    $UserGroup = $stmt->fetch();

                    $_SESSION['group'] = $UserGroup['TB_userGroups_ID'];

                //-----------------------

                // Sending user back from Login page to Main/Index page

                    header("Location: ../index.php");

                    exit();

                //-----------------------

                  }

              }

          }

Many thanks for any help or redirection to sources.

---

My Answer:
> In web development, there are certain things that can be changed by the user and certain things that cannot be changed. Here are some examples:

1. $_SESSION variables: $_SESSION variables are stored on the server-side and are typically used to store user-specific information. Users cannot directly change these variables as they are stored on the server.

2. JavaScript code: Users can view and modify JavaScript code that is executed on the client-side. This includes changing variables, manipulating the DOM, and altering the behavior of the website.

3. HTML and CSS: Users can view and modify the HTML and CSS of a webpage using browser developer tools. This allows them to change the layout, styling, and content of the webpage.

4. Cookies: Users can view and modify cookies that are stored on their browser. Cookies are often used to store session information and user preferences.

5. Client-side validation: Users can bypass client-side validation checks that are performed using JavaScript. It is important to always perform server-side validation to ensure data integrity.

In the example code you provided, the $_SESSION['group'] variable is stored on the server-side and cannot be directly changed by the user. However, it is important to validate user input and perform server-side validation to prevent security vulnerabilities such as SQL injection and cross-site scripting (XSS) attacks.