What is a secure way or best practice to disable an html link or button based on php conditions?-CodePudding

Originally, the link <a> in a PHP HTML file is clickable. Now I need to add PHP "if-else" to make <a> is not clickable based on some condition. How can I achieve this in a secure way?

<? if (condition) : ?> 
   <a> is clickable (
       by using this.container.on('click', '.class-point-to-a-link', function (e) {
                        e.preventDefault();
                        e.stopPropagation();
    )
<? else: ?>
   probably using <span> or disable the link using css?
<? endif; ?>

I have several thoughts but not sure what is the best practice or how you guys would do it.

in the else branch, I will not use the <a> tag, instead, I will use a <span> or some other tag, so the javascript on("click"...) will not find the span and will not trigger the action at all. But I have a security concern that someone may inspect and change the span to <a>, then the link will work.
add some CSS to the <a> to make it not clickable? I have the same security concern.
inside the on("click"...) part, I will add the condition one more time based on the data from the backend. This is the best method that I can think of, but is there a better way to not apply the "if-else condition" twice?

This is a question with several small questions.

CodePudding user response：

You can add a class to the tag to make it unclickable

Something like:

# php
<a class="<?php if (!$isEnabled) { echo "disabled" } ?>">Link</a>

# css
a.disabled {
  pointer-events: none;
  cursor: default;
}

CodePudding user response：

It is most secure to not output links at all in your PHP code unless you want them to be active; if the link is in the code, but disabled or hidden, it is trivially easy to find it by just viewing the source of the page. Any attacker will typically do this as one of the first tools in their arsenal.

The most concise way to include/remove links inline in PHP is the ternary operator. For instance:

echo ($enabled ? '<a href="https://example.com/url">' : '') . 'The text that would be inside the link.' . ($enabled ? '</a>' : '');

Or if you don't like the ternary operator, you can do it in longer form with if statements:

if ($enabled) echo '<a href="https://example.com/url">';
echo 'The text that would be inside the link.';
if ($enabled) echo '</a>';

The ternary operator often improves conciseness but it can sometimes hinder readability, although this is a matter of opinion. I use it sparingly for this reason.

Either way you do it, the user not only never sees the link, but the link is nowhere in the source code to the page, unless you want it to be.

If there are any security risks at all associated with people being able to visit that link when you do not want them to, this is the only way I would implement it. It is best to assume that any user with malicious intent will find any relevant URL in the code and type it in manually. Of course, I wouldn't stop at that, for security, because if it possible for the user to see how your site works, i.e. if the link sometimes appears for them and they are able to deduce the logic and structure of your URL scheme, they will also be able to figure out how to form new URL's dynamically, so if there is any URL you don't want certain people to access, I would assume that someone will try to access it and build in safeguards in the script for that URL itself. You might even want to go full-on paranoid (I recommend it! Hackers are smart!) and assume that an attacker will be able to somehow figure out hidden URL's by trial and error or inferring, and always build the security checks into each script.