SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2010
    Location
    Bangladesh
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Help about form security

    Hello,

    I have a form and some input field which i mentioned below. I have validate form field using jquery validation and also php validation. As there are some add ons in firefox and chrome browser that web development tools from which we can execute some task on any website form field. For example: If i make a field readonly then using "Make form fields writable" option of web development tools of firefox i can remove readonly property and type anything in that field. That's why i use preg_match() function to validate my required fields.

    Also i have added captcha to prevent machine entries. But although i ensure php validation , now i am wondering to see that still i get vulnerable entries. How it possible? I s there any other way to prevent such type of entry i mentioned below? Please give me any idea if anyone have....

    Form field:

    ID, Start Date, End Date, Last Name, First Name, Phone, Remarks

    I declare in preg_match() function

    ID must be numeric
    Start date and end date with slash separator
    Last Name and First Name must be character
    Phone must be numeric
    Remarks must be character but it does not support any special character

    But this is strange i can see still anyone can post such type of data

    Code:
    Start Date: ???? ?
    Start Time:
    End Date: ???? ?
    End Time:
    Last Name: ???? ?
    First Name: ???? ?
    Phone: ???? ?
    Email: test@gmail.com
    Remarks: <a href=\"http://test.jp/\">MBT ???? ???</a> ?????? <a href=\"http://testjp/\" >???? ?</a> ???? ?

    How is this possible? I need solution to prevent this type of entry

    Thanks,
    RIma.
    Last edited by ralph.m; Nov 25, 2013 at 22:56. Reason: fixed dodgy formatting and obfuscated URLs

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,168
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Rima_dhk View Post
    But this is strange i can see still anyone can post such type of data.
    We'd have to see what was in your preg_match expressions to be able to comment on what's wrong with them.

  3. #3
    SitePoint Enthusiast
    Join Date
    Oct 2010
    Location
    Bangladesh
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sure...

    Please see this part of code snippet. Please check only my preg_match () funtion declartion is correct or not

    PHP Code:
    if(preg_match("/^[0-9 -]+$/"$_POST['Phone']) === 0)
    {
        
    $msg '<p class="errText">Please type phone number properly</p>';
        
    header("location:T.php?msg=$msg");
        
    }
    elseif(
    preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/"$_POST['Email']) === 0)
    {
        
    $msg '<p class="errText">Please type email in correct format</p>';
        
    header("location:Test.php?msg=$msg");
        
    }
    elseif(
    preg_match("/^[A-Za-z -]+$/"$_POST['First_Name']) === 0)
    {
        
    $msg '<p class="errText">Please type your first name properly</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[A-Za-z -]+$/"$_POST['Last_Name']) === 0)
    {
        
    $msg '<p class="errText">Please type your last name properly</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}$/"$_POST['Start_Date']) === 0)
    {
        
    $msg '<p class="errText">Start Date must comply with this mask: MM/DD/YYYY</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}$/"$_POST['Start_Date']) === 0)
    {
        
    $msg '<p class="errText">End date must comply with this mask: MM/DD/YYYY</p>';
        
    header("location:Test.php?msg=$msg");
    // Required Field 
    ........ Some code here
    ........

    PHP Code:
    // Remarks is not required field

    if(preg_match("/^[a-zA-Z0-9 -,]+$/"$_POST['Remarks']) === 0)  
        {
        
    $remarks='';
        }
        else
        {
        
    $remarks=$_POST['Remarks'];
        } 
    Last edited by cpradio; Nov 26, 2013 at 13:57.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,650
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Rima,

    Please use the [code]...[/code] wrapper rather than the PHP one!

    Quote Originally Posted by Rima_dhk View Post
    Sure...

    Please see this part of code snippet. Please check only my preg_match () funtion declartion is correct or not

    PHP Code:
    if(preg_match("/^[0-9 -]+$/"$_POST['Phone']) === 0)

        
    I believe that the space must be escapedi.e., '[0-9\ -]+'

    {
        
    $msg '<p class="errText">Please type phone number properly</p>';
        
    header("location:T.php?msg=$msg");
        
    }
    elseif(
    preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/"$_POST['Email']) === 0)

        
    This requires a dot character in the username and a two or three part TLD (e.g., domain.co.nzbut eliminates second level TLDs like govt (which is used in NZ).

    {
        
    $msg '<p class="errText">Please type email in correct format</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[A-Za-z -]+$/"$_POST['First_Name']) === 0)

        
    Ditto the escaped space.

    {
        
    $msg '<p class="errText">Please type your first name properly</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[A-Za-z -]+$/"$_POST['Last_Name']) === 0)

        ]
    Again.

    {
        
    $msg '<p class="errText">Please type your last name properly</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}$/"$_POST['Start_Date']) === 0)

        If 
    you specify MM/DD/YYYY then change {1,2to {2in both places.

    {
        
    $msg '<p class="errText">Start Date must comply with this mask: MM/DD/YYYY</p>';
        
    header("location:Test.php?msg=$msg");
    }
    elseif(
    preg_match("/^[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}$/"$_POST['Start_Date']) === 0)

        
    Another Start_date???

    {
        
    $msg '<p class="errText">End date must comply with this mask: MM/DD/YYYY</p>';
        
    header("location:Test.php?msg=$msg");
    // Required Field 
    ........ Some code here
    ........

    PHP Code:
    // Remarks is not required field

    if(preg_match("/^[a-zA-Z0-9 -,]+$/"$_POST['Remarks']) === 0)  
        {
        
    $remarks='';
        }
        else
        {
        
    $remarks=$_POST['Remarks'];
        } 
    The thing I'm most concerned with in your code, though, is its placement BECAUSE any output to the server (<html ... etc.) will prevent the header() function from working.

    Additionally, I go about this a bit differently as I use the same page for my action and
    1. Output the masthead, nav, etc., first (prepare the page)
    2. Test whether the form has been submitted (isset[$_POST['submit']))
    3. Test each $_POST array entry with isset then assign to a local variable (which will be used for my tests then entry into the form if required).
    4. Initialize the $error string variable
    5. Validate each required entry as you have done except that an error adds a info to the $error string (as you have done with a single output but accummulating the error lines)
    6. Test if the $error string has been changed from the initial value (errors detected)
    7. If no errors, enter data into the database, send mail as required and output a successful submission message ELSE output the $error string AND output the form with the submitted values (for ease of correction for resubmission)
    8. Output the footer and close the page


    This is simply a difference in technique (outputting all detected errors if any were found rather than rewriting the page for each error) but it eliminates all those elseif statements and provides a variable which I use to determine the path through the form processing (with successful input) or tell the visitor about each and every error and rewrite the values input.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •