Prevent URL hacking by adding a Secret field

Est. Reading: 2 minutes
By: jamesbayley
Created: 09/14/2018
Difficulty: Advanced

Prevent URL hacking by adding a Secret field

×Warning: This tutorial was created 2280 days ago. Some of the information may be out of date with more recent versions of Formidable. Please proceed with caution and always perform a backup before adding custom code.
Make your form update-able in the front end

You need to update the form's Settings to make your form update-able by "logged-in users" in the front end.

Add a Secret Field to your form

Create a field in the form called Secret and in the Dynamic Values section check "Calculate the default value for this field" and paste in this code. It will generate a random 10 digit number.

Math.random() * (1e10-1- 1e9) + 1e9;

https://stackoverflow.com/questions/1527803/generating-random-whole-numbers-in-javascript-in-a-specific-range.

Create the update-entry page

This page will be secured using a view. We will call it /update-entry/. Leave the page contents blank for now.

Create a view or email targeting the update-entry page

You now now need to create a view or email which has a link of the form.

/update-entry/?action=edit&entry=[id]&secret=[x]

where id is the entry_id of the record (entry) you want to edit and the secret is the secret you added to the record when it was created.

Create a view to check the URL parameters

Choose an "all entries" type of view. In the Content area put the shortcode for the form to be edited. In the filter area filter

Entry Id "equal to" [get param=entry default=0] and
secret "equal to" [get param=secret default=0]

It is a feature/bug of Formidable that any value is equal to NULL. Therefore we need to set the default of the param Secret to zero if it has been removed by the user.

Add this view to the update page

You now add this view to the page /update-entry.

How it works

When a user clicks your secure link they are taken to the update-entry page. This then loads the view. The tries to select all the entries in the form but only the one that matches the entry_id and secret is returned. When this match happens the view renders the form because you put its shortcode in the content area. The form is editable because of the edit action in the URL.

Leave a Reply

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community
crosschevron-leftchevron-rightarrow-right