Member Avatar for maxelcat

Dear ALl

I have recently made some forms using javascript (up until then I ususally did so in php).

I have some simple user validation - required fields, correct format for email etc etc When submit is pressed a simple php script operates to send the detail in an email

I have recently got concerned about the security of these forms. This mornign I recevied a form reply in which all the fields were blank. (i managed to reproduce this myself using javascript:document.spamform.onsubmit="return true;";

So now I am worried that someone can use my form to hack the site, which is a joomla cms. We have taken quite a few security precautions for the site, but not in the form

I have spent some time searching around google, and its overwhelming!!!

Could somebody please direct me as to where to start. Should I just dump the javascript form and rework it in php, adding stripslases and so on? Or are there some things I can do to avoid this form being used?

I'd really apprecaite any pointers!

Thanks in advance

Edward

  • 5 Contributors
  • 7 Replies
  • 130 Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by vhss

Recommended Answers

All 7 Replies

Member Avatar for Taywin

Maybe you should look into 2 things - SQL injection and Cross Site Scripting (XSS). These 2 are common in attacking website database/content. Then you should have more understanding about prevention.

By the way, do not use ONLY JavaScript to validate user input. The JavaScript is for convenient but not for security because user can easily manipulate with the script (and you have no protection of it). You must always do the validation on your server side.

Edited by Taywin because: n/a
Member Avatar for vhss

Hi maxelcat! From own experience JavaScript can be cheated easily, so definitely you need to use anything else. Using two or more different strategies for verification can make really hard time for not-so-professional hackers (who are some 80%).

Good luck!

:)

Member Avatar for maxelcat

HI and thanks for the replies. Since the post I have done the following - all in php

  • created a check that all the right fields are arriving
  • added htmlspecialchars(stripslashes(trim($_POST(....
  • added regular expressions
  • added a final check that none of the data contains html|htmls|ftp|www

If any of the above are failed then the php script does exit() and a cute little message about possibly dangerous script having been entered appears

Would that be enough do you think? I know you can never be 100% secure...

Thanks again

E

Member Avatar for pritaeas

I found this article an interesting read. Got some good ideas from it.

Member Avatar for vhss

I'm sure that should be enough (if you not selling FBI secrets over your website).


:)

Member Avatar for almostbob

nothing clientside is secure,

Member Avatar for vhss

Well, yes, but... Now maxelcat cut off the amateurs and professionals too busy with more serious projects like Nigeria's banks or so...

There is no absolute safety in this world.

:cool:

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.