SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard
    Join Date
    May 2002
    Posts
    1,370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    form security - relying on validations alone

    Realizing there are holes in security techniques, and with the fact that I have only one or two simple comment forms to make, was wondering if I could get some feedback on the idea of doing form validations only.

    There's only (3) fields;

    name; letter chars only
    email: underscore, hyphens, numbers and letters, @, a period
    comments: since it is a finance site, the only special characters to be echoed back -- $ and % will undergo str_replace. No link posting allowed, so relevant chars here will be disallowed.

    Preventing the '$' associated with injection techniques and eliminating the input of hyperlinks (and html formatting) -- won't this take care of most security & spam concerns?

    (ip address and date collected by hidden input)

    Even with sessions: users having cookies turned off would be out of the loop [ unless something more could be done with sessions?]. And the Captcha techniqiue can be sought into and even discourage users from inputting data in the first place.

  2. #2
    SitePoint Enthusiast
    Join Date
    Jul 2007
    Location
    USA
    Posts
    53
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by datadriven View Post
    I have only one or two simple comment forms to make, was wondering if I could get some feedback on the idea of doing form validations only.
    Add to your validation routines the number of characters allowed. For example you should limit the length of the email field. Is 255 chars enough? If you do not set any restrictions then you could be vulnerable to buffer overflow attacks.

    Another idea is to outsource your form to a third party that will handle all of the input validation and preventing certain hacking techniques. I don't know what platform you are running for your website (i.e., Wordpress) but you might be able to limit comment spam with certain plugins and web application firewalls like Apache mod_security.

    Even with all of this in place you won't be able to stop all spam. Your best bet is to moderate and approve the comments. Otherwise you will get plenty of entries that meet your specs and rules, but when you read through it, you'll find the comments are spelling out website addresses, or just filling up your page with nonsense text. It seems to happen a lot, so that's why I recommend moderators in addition to everything else you put into place. Good luck and let us know what happens.

  3. #3
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,270
    Mentioned
    197 Post(s)
    Tagged
    3 Thread(s)
    I moderate all my blog's comments. It's amazing how often I get a legit looking comment with no links, but the visitors name is something like "Cheap Viagra" or "SEO Services" with "their" website being linked to the name of course. The SPAM filters are great for screening out the vast majority of the SPAM but some of the SEO-kiddies are a wee bit more clever than the others.

  4. #4
    SitePoint Enthusiast
    Join Date
    Oct 2009
    Location
    in the eyes of a madman
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if the form is being validated in a seperate file.
    you could set a session hidden input on the form and validate that
    1. session token is set and the post token is set
    2. the session token === post token
    3. the strlen === 40 or whatever the generated token length is

    also hidden inputs that valid user could not see and check that they are not filled in.
    @Mittineague
    I love getting comments like
    You have researched this topic well, I will recommend this site
    It looks like we have to start writing scripts to check for vagueness.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •