Moving from ajax webservice call to php

multichild · May 10, 2017, 2:58pm

I have the code below sending form values to a web-service to register a new user, and I get a value back from the service to say whether its a success or not.

But we are having problems with the code being accessed when it shouldn’t be and adding empty user details on the database, basically its being hacked I suppose, and that’s why I need to move it to php.

I have tried in the past and i kept getting problems I think it was with jsonp, so I left it now its come back to bite me in the butt.

Can the code below be re-hashed into php which will sit inside a captcha validation script in php, which I have ready and working.

$.ajax(
{
crossDomain: true,
contentType: "application/json; charset=utf-8",
url: "https://www.mysite.com/WebService.asmx/TC_Register",
data: {id: "123abc", email_Address: email, password: password, name: allname, company_Name: company, telephone_Number: tel, address: address, country: country},
dataType: "jsonp",
success: onDataReceived
});

fretburner · May 10, 2017, 3:45pm

Any publicly accessible endpoint that accepts input should validate said input before doing anything with it (especially inserting into a DB). Never trust user input.

multichild · May 10, 2017, 3:54pm

Well this is the problem that has prompted me to get this sorted. I had jquery validate and other validation and they still get through it, if you fancy taking a look I have the full script below

<form name="form1" id="signupForm" method="post" id="myForm">
<button id="buttonSubmit" type="submit">SUBMIT</button>
</form>

<script src="lib/jquery.validate.js"></script>
<script>
$("#signupForm").validate({
rules: {
fname: {
required: true
},
sname: {
required: true
},
company: {
required: true
},
tel: {
required: true,
minlength: 5
},
address: {
required: true
},
country: {
required: true
},
email: {
required: true,
email: true
},
cemail: {
required: true,
email: true,
equalTo: "#form1_email"
},
password: {
required: true,
minlength: 7,
},
cpassword: {
required: true,
minlength: 7,
equalTo: "#form1_password"
},
},
messages: {
fname: "Please enter your first name",
sname: "Please enter your last name",
company: "Please enter your company name",
tel: "Please enter your telephone number",
address: "Please enter your address",
country: "Please enter your country",
email: "Please enter a valid email address",
cemail: {
required: "Please enter a valid email address",
equalTo: "Please enter the same email"
},
password: {
required: "Please provide a password",
minlength: "Your password must be at least 5 characters long"
},
cpassword: {
required: "Please provide a password",
minlength: "Your password must be at least 5 characters long",
equalTo: "Please enter the same password"
},	
},
submitHandler: function(form) {
serviceCall();
}
});
</script>
<script>
function serviceCall() {
document.getElementById('buttonSubmit').style.display = 'none';

var fnameb = $("input[name=\"fname\"]").val();
if (fnameb = "") {
	window.location.href = "https://www.site.com"
} else {
	var fname = fnameb;
}

var snameb = $("input[name=\"sname\"]").val();
if (snameb = "") {
	window.location.href = "https://www.site.com"
} else {
	var sname = snameb;
}

var companyb = $("input[name=\"company\"]").val();
if (companyb = "") {
	window.location.href = "https://www.site.com"
} else {
	var company = companyb;
}

var telb = $("input[name=\"tel\"]").val();
if (telb = "") {
	window.location.href = "https://www.site.com"
} else {
	var tel = telb;	
}

var addressb = $("input[name=\"address\"]").val();
if (addressb = "") {
	window.location.href = "https://www.site.com"
} else {
	var address = addressb;	
}

var countryb = $("input[name=\"country\"]").val();
if (countryb = "") {
	window.location.href = "https://www.site.com"
} else {
	var country = countryb;	
}

var emailb = $("input[name=\"email\"]").val();
if (emailb = "") {
	window.location.href = "https://www.site.com"
} else {
	var email = emailb;	
}

var cemailb = $("input[name=\"cemail\"]").val();
if (cemailb = "") {
	window.location.href = "https://www.site.com"
} else {
	var cemail = cemailb;	
}

var passwordb = $("input[name=\"password\"]").val();
if (passwordb = "") {
	window.location.href = "https://www.site.com"
} else {
	var password = passwordb;	
}

var cpasswordb = $("input[name=\"cpassword\"]").val();
if (cpasswordb = "") {
	window.location.href = "https://www.site.com"
} else {
	var cpassword = cpasswordb;	
}

var allname = fname+' '+sname;

$.ajax(
{
crossDomain: true,
contentType: "application/json; charset=utf-8",
url: "https://www.mysite.com/WebService.asmx/TC_Register",
data: {id: "123abc", email_Address: email, password: password, name: allname, company_Name: company, telephone_Number: tel, address: address, country: country},
dataType: "jsonp",
success: onDataReceived
});

function emailFunction(){
$.ajax({
url: 'register-mail.php',
type: 'POST',
data: {
Email:email, Company:company, Name:allname, Address:address, Country:country
},
});	
};

function onDataReceived(data)
{
if (data == 1){		
swal({
  		title: 'You Are Registered!',
  		text: "Do you wish to continue to Log In?",
  		type: 'success',
		success: emailFunction(),
  		showCancelButton: true,
  		confirmButtonColor: '#3085d6',
		cancelButtonColor: '#d33',
  		confirmButtonText: 'Continue'
		}).then(function() {
		window.location.href = "logIn.php";
		})
}
	if (data == 2){
		document.getElementById('buttonSubmit').style.display = 'block';
		swal({
  		title: 'Error!',
  		text: 'This email address is already in use',
  		type: 'error',
  		confirmButtonText: 'Return'
		})
	}
};
};
</script>

I thought I had it covered, but obviously not. So what I plan to do now is validate through the required setting in the form, then use captcha and php validation, and then submit the data to the webservice using php rather than ajax.

Was quite proud of all that, but its not whats needed to make it secure.

Mittineague · May 10, 2017, 3:59pm

Client side validation is a good idea for letting honest users know of a problem and saving an HTTP request.
I would not scrap your JavaScript code just yet.
But for security, you really need to do server side validation - before the input gets anywhere near the database.

multichild · May 11, 2017, 8:29am

Hi Mittineague,

Thats actually great news for me, as the ajax really works well.

The manager is insisting on using captcha with it too, so I have just developed it into another form on a different website and its like this, and works really well, so can this site use the code below and also integrate it with the ajax to make it more secure than it is.

<?php
// define variables and set to empty values
$nameErr = $emailErr = "";
$name = $email = $comment = "";

if(isset($_POST['submit']) && !empty($_POST['submit'])){
if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response'])){
        //your site secret key
        $secret = 'abc123';
        //get verify response data
        $verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secret.'&response='.$_POST['g-recaptcha-response']);
        $responseData = json_decode($verifyResponse);
        if($responseData->success){

if (empty($_POST["name"])) {
    $nameErr = "Name is required";
} else {
    $name = test_input($_POST["name"]);
if (!preg_match("/^[a-zA-Z ]*$/",$name)) {
    $nameErr = "Only letters and white space allowed"; 
	}
}
  
if (empty($_POST["email"])) {
    $emailErr = "Email is required";
} else {
   $email = test_input($_POST["email"]);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
   $emailErr = "Invalid email format"; 
   }
}
  
if (empty($_POST["comment"])) {
    $comment = "";
} else {
    $comment = test_input($_POST["comment"]);
}

if (($nameErr == "") && ($emailErr == "")){

    $from = 'From: ' . $name . ' <' . $email . '>';
	$to = "ljones@.com";
	
    $subject = " UK Enquiry Form";
	$content = "Hi, \n\n" . $name . " has sent a message: \n\n" . $comment . "\n\nSent from the  Standards website.";
	
    mail($to,$subject,$content,$from);
	$successM = "Thank you! Your message has been sent!";
	$nameErr = $emailErr = "";
    $name = $email = $comment = "";
} }

} else {
$name = $_POST["name"];
$email = $_POST["email"];
$comment = $_POST["comment"];
$errMsg = 'Robot verification failed, please try again.';	
}}
function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
?>

system · August 10, 2017, 3:30pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.