Help about form security

Hello,

I have a form and some input field which i mentioned below. I have validate form field using jquery validation and also php validation. As there are some add ons in firefox and chrome browser that web development tools from which we can execute some task on any website form field. For example: If i make a field readonly then using “Make form fields writable” option of web development tools of firefox i can remove readonly property and type anything in that field. That’s why i use preg_match() function to validate my required fields.

Also i have added captcha to prevent machine entries. But although i ensure php validation , now i am wondering to see that still i get vulnerable entries. How it possible? I s there any other way to prevent such type of entry i mentioned below? Please give me any idea if anyone have…

Form field:

ID, Start Date, End Date, Last Name, First Name, Phone, Remarks

I declare in preg_match() function

ID must be numeric
Start date and end date with slash separator
Last Name and First Name must be character
Phone must be numeric
Remarks must be character but it does not support any special character

But this is strange i can see still anyone can post such type of data

Start Date: ???? ?
Start Time:
End Date: ???? ?
End Time:
Last Name: ???? ?
First Name: ???? ?
Phone: ???? ?
Email: test@gmail.com
Remarks: <a href=\\"[noparse]http://test.jp[/noparse]/\\">MBT ???? ???</a> ?????? <a href=\\"[noparse]http://testjp[/noparse]/\\" >???? ?</a> ???? ?

How is this possible? I need solution to prevent this type of entry

Thanks,
RIma.

We’d have to see what was in your preg_match expressions to be able to comment on what’s wrong with them.

Sure…

Please see this part of code snippet. Please check only my preg_match () funtion declartion is correct or not

if(preg_match("/^[0-9 -]+$/", $_POST['Phone']) === 0)
{
	$msg = '<p class="errText">Please type phone number properly</p>';
	header("location:T.php?msg=$msg");
	
}
elseif(preg_match("/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/", $_POST['Email']) === 0)
{
	$msg = '<p class="errText">Please type email in correct format</p>';
	header("location:Test.php?msg=$msg");
	
}
elseif(preg_match("/^[A-Za-z -]+$/", $_POST['First_Name']) === 0)
{
	$msg = '<p class="errText">Please type your first name properly</p>';
	header("location:Test.php?msg=$msg");
}
elseif(preg_match("/^[A-Za-z -]+$/", $_POST['Last_Name']) === 0)
{
	$msg = '<p class="errText">Please type your last name properly</p>';
	header("location:Test.php?msg=$msg");
}
elseif(preg_match("/^[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}$/", $_POST['Start_Date']) === 0)
{
	$msg = '<p class="errText">Start Date must comply with this mask: MM/DD/YYYY</p>';
	header("location:Test.php?msg=$msg");
}
elseif(preg_match("/^[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}$/", $_POST['Start_Date']) === 0)
{
	$msg = '<p class="errText">End date must comply with this mask: MM/DD/YYYY</p>';
	header("location:Test.php?msg=$msg");
} // Required Field

… Some code here

// Remarks is not required field

if(preg_match("/^[a-zA-Z0-9 -,]+$/", $_POST['Remarks']) === 0)  
	{
	$remarks='';
	}
	else
	{
	$remarks=$_POST['Remarks'];
	}

Rima,

Please use the [noparse]

...

[/noparse] wrapper rather than the PHP one!

The thing I’m most concerned with in your code, though, is its placement BECAUSE any output to the server (<html … etc.) will prevent the header() function from working.

Additionally, I go about this a bit differently as I use the same page for my action and

  1. Output the masthead, nav, etc., first (prepare the page)
  2. Test whether the form has been submitted (isset[$_POST[‘submit’]))
  3. Test each $_POST array entry with isset then assign to a local variable (which will be used for my tests then entry into the form if required).
  4. Initialize the $error string variable
  5. Validate each required entry as you have done except that an error adds a info to the $error string (as you have done with a single output but accummulating the error lines)
  6. Test if the $error string has been changed from the initial value (errors detected)
  7. If no errors, enter data into the database, send mail as required and output a successful submission message ELSE output the $error string AND output the form with the submitted values (for ease of correction for resubmission)
  8. Output the footer and close the page

This is simply a difference in technique (outputting all detected errors if any were found rather than rewriting the page for each error) but it eliminates all those elseif statements and provides a variable which I use to determine the path through the form processing (with successful input) or tell the visitor about each and every error and rewrite the values input.

Regards,

DK