dannyb785 Posted July 20, 2008 Share Posted July 20, 2008 Hello all, this is a client of mine's page. The only parts that even allow user input are on the contacts page(typing info to be emailed), the polls that you vote on, and the search field. So there shouldn't be any main security vulnerability, however there is a behind-the-scenes area to log into and edit things so I suppose just make a sure someone couldn't accidently stumble into it(it requires the user to be logged in even if they did know the address of the page). http://www.xausf.com Link to comment Share on other sites More sharing options...
unsider Posted July 20, 2008 Share Posted July 20, 2008 There is very little validation in the 'contact' form, <> tags, etc... I'd suggest sanatizing the input for those fields a little more. I can't find any other noticeable security flaws, but I tested it without software. Link to comment Share on other sites More sharing options...
dannyb785 Posted July 20, 2008 Author Share Posted July 20, 2008 There is very little validation in the 'contact' form, <> tags, etc... I'd suggest sanatizing the input for those fields a little more. I can't find any other noticeable security flaws, but I tested it without software. do you mean js validation? Or server-side filtering? And how can you tell because once something is submitted, it's never repeated back to the user nor made public Link to comment Share on other sites More sharing options...
drath Posted July 20, 2008 Share Posted July 20, 2008 I think he is talking about the fact that you can submit absolutely anything in any of the text fields, you don't even need a proper email. You can submit text in the phone number, you can use just numbers in your name, etc. Link to comment Share on other sites More sharing options...
unsider Posted July 21, 2008 Share Posted July 21, 2008 I think he is talking about the fact that you can submit absolutely anything in any of the text fields, you don't even need a proper email. You can submit text in the phone number, you can use just numbers in your name, etc. Ya pretty much. And I'm talking about client-side. Use regex to validate.. ie. very basic example. <?php $email = $_POST['email']; if(!eregi("^([0-9a-z])+$", $email)){ echo "email field not alphanumeric"; } ?> Something along those lines, look it up Link to comment Share on other sites More sharing options...
waynewex Posted July 22, 2008 Share Posted July 22, 2008 I've lost all faith in JS validation. I only ever include it for the common users sake. Wouldn't rest my security on it though. Link to comment Share on other sites More sharing options...
dannyb785 Posted July 22, 2008 Author Share Posted July 22, 2008 I understand your suggestion about validation, but at the moment, I have it setup so my client can create the form themself(my system does most of the work for them) so they basically just create the field title and if it's required or not. But it's all just submitted to a database for my client to read and look over so validation isn't required, but more just suggested. So I use simple js to validate a blank field bc the typical user who is filling out the form isn't going to try and hack around it to keep the field blank. Link to comment Share on other sites More sharing options...
Recommended Posts