Form security - relying on validations alone

Realizing there are holes in security techniques, and with the fact that I have only one or two simple comment forms to make, was wondering if I could get some feedback on the idea of doing form validations only.

There’s only (3) fields;

name; letter chars only
email: underscore, hyphens, numbers and letters, @, a period
comments: since it is a finance site, the only special characters to be echoed back – $ and % will undergo str_replace. No link posting allowed, so relevant chars here will be disallowed.

Preventing the ‘$’ associated with injection techniques and eliminating the input of hyperlinks (and html formatting) – won’t this take care of most security & spam concerns?

(ip address and date collected by hidden input)

Even with sessions: users having cookies turned off would be out of the loop [ unless something more could be done with sessions?]. And the Captcha techniqiue can be sought into and even discourage users from inputting data in the first place.

if the form is being validated in a seperate file.
you could set a session hidden input on the form and validate that

  1. session token is set and the post token is set
  2. the session token === post token
  3. the strlen === 40 or whatever the generated token length is

also hidden inputs that valid user could not see and check that they are not filled in.
I love getting comments like

You have researched this topic well, I will recommend this site

It looks like we have to start writing scripts to check for vagueness.

Add to your validation routines the number of characters allowed. For example you should limit the length of the email field. Is 255 chars enough? If you do not set any restrictions then you could be vulnerable to buffer overflow attacks.

Another idea is to outsource your form to a third party that will handle all of the input validation and preventing certain hacking techniques. I don’t know what platform you are running for your website (i.e., Wordpress) but you might be able to limit comment spam with certain plugins and web application firewalls like Apache mod_security.

Even with all of this in place you won’t be able to stop all spam. Your best bet is to moderate and approve the comments. Otherwise you will get plenty of entries that meet your specs and rules, but when you read through it, you’ll find the comments are spelling out website addresses, or just filling up your page with nonsense text. It seems to happen a lot, so that’s why I recommend moderators in addition to everything else you put into place. Good luck and let us know what happens.

:lol: I moderate all my blog’s comments. It’s amazing how often I get a legit looking comment with no links, but the visitors name is something like “Cheap Viagra” or “SEO Services” with “their” website being linked to the name of course. The SPAM filters are great for screening out the vast majority of the SPAM but some of the SEO-kiddies are a wee bit more clever than the others.