Jump to content

use javasript to secure my php script


Reaper0167

Recommended Posts

I have a registration form which uses some javascript to make sure the form is filled out correctly. I don't see why I couldn't use some javascript to help keep out certain characters to prevent hackers from messing with my site or database.?.?. Any knowledge of this subject would be appreciated. Thanks.

Link to comment
Share on other sites

Something like this? Everything works great(username required, username needs to match) Just the special characters are not allowed. If found the special characters part of this online, but can't get it to work properly.

<?php
<script type="text/javascript" language="javascript">
function validate(form2)
    {
    var valid = true;
    var iChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?";
    	
if (!form2.username.value || !form2.username_conf.value || iChars.indexOf(document.form2.username.value.charAt(i)) != -1 )
    {
        document.getElementById('username_error').innerHTML = 'You must enter a username and confirm it. No special characters.';
        valid = false;
    }
    else if (form2.username.value != form2.username_conf.value)
    {
        document.getElementById('username_error').innerHTML = 'Usernames do not match.';
        valid = false;
    }
    else
    {
        document.getElementById('username_error').innerHTML = '';
    }
</script>

Link to comment
Share on other sites

how about the onKeyPress attribute ?  Only allowing letters and numbers to be accepted into a text field. Could that distract a possible hacker ?  And what do you mean by form processing code?  My php script itself ?  I'm reading everything I can online and this still bothers me about having a somewhat secure site.

Link to comment
Share on other sites

Pretend your form doesn't exist, that's how the hackers see it.

 

Javascript is mainly for assisting the user, but certainly not fit for securing a form.  Where ever your code is that accepts the values $_POST['username'] etc is where you you want to be secure in your processing.  Validate using regex, strlen, etc to ensure you get expected inputs.

 

Also, I notice in your codebox it says "<?php  then <script"  is this a typo?

Link to comment
Share on other sites

To hopefully give a littel more insight, I'll give a couple examples.

 

1) User access your form which has javascript to prevent certain characters in the username and will prevent form submission with a friendly error message. Good right? Ok, then the user access the browser options and turns off JavaScript. User is now able to enter anything they wish and submit the form. Uh oh!

 

2) You have the above code, but implement some additional JS so that the form can't even be submitted without JS enabled. Of course this may block a small number of potential users, but that's OK since you will be protected from hackers, right? Nope. A malicious user can simply view/copy the source code for your page and recreate the form himself without any javascript and ensure it can be submitted with whatever values they want.

 

As stated above, you must always validate user input on the server-side. JavaScript provides a nice way to give the user immediate feedback without having to submit a form. But even if you have javascript validation, all bets are off once the form submission is received.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.