Reaper0167 Posted June 22, 2009 Share Posted June 22, 2009 I have a registration form which uses some javascript to make sure the form is filled out correctly. I don't see why I couldn't use some javascript to help keep out certain characters to prevent hackers from messing with my site or database.?.?. Any knowledge of this subject would be appreciated. Thanks. Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 22, 2009 Author Share Posted June 22, 2009 Something like this? Everything works great(username required, username needs to match) Just the special characters are not allowed. If found the special characters part of this online, but can't get it to work properly. <?php <script type="text/javascript" language="javascript"> function validate(form2) { var valid = true; var iChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?"; if (!form2.username.value || !form2.username_conf.value || iChars.indexOf(document.form2.username.value.charAt(i)) != -1 ) { document.getElementById('username_error').innerHTML = 'You must enter a username and confirm it. No special characters.'; valid = false; } else if (form2.username.value != form2.username_conf.value) { document.getElementById('username_error').innerHTML = 'Usernames do not match.'; valid = false; } else { document.getElementById('username_error').innerHTML = ''; } </script> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 22, 2009 Share Posted June 22, 2009 Hackers don't really care what you do in your form because they submit data directly to your form processing code. So, no that won't add any security to your site. Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 22, 2009 Author Share Posted June 22, 2009 thanks for the reply. Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 23, 2009 Author Share Posted June 23, 2009 how about the onKeyPress attribute ? Only allowing letters and numbers to be accepted into a text field. Could that distract a possible hacker ? And what do you mean by form processing code? My php script itself ? I'm reading everything I can online and this still bothers me about having a somewhat secure site. Quote Link to comment Share on other sites More sharing options...
xtopolis Posted June 23, 2009 Share Posted June 23, 2009 Pretend your form doesn't exist, that's how the hackers see it. Javascript is mainly for assisting the user, but certainly not fit for securing a form. Where ever your code is that accepts the values $_POST['username'] etc is where you you want to be secure in your processing. Validate using regex, strlen, etc to ensure you get expected inputs. Also, I notice in your codebox it says "<?php then <script" is this a typo? Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 23, 2009 Author Share Posted June 23, 2009 yes , sorry Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 23, 2009 Author Share Posted June 23, 2009 but if they can't type special characters or spaces into the text boxes, then to inject anything, they would have to enter it in the url, correct? Sorry for getting off subject. Quote Link to comment Share on other sites More sharing options...
Psycho Posted June 23, 2009 Share Posted June 23, 2009 To hopefully give a littel more insight, I'll give a couple examples. 1) User access your form which has javascript to prevent certain characters in the username and will prevent form submission with a friendly error message. Good right? Ok, then the user access the browser options and turns off JavaScript. User is now able to enter anything they wish and submit the form. Uh oh! 2) You have the above code, but implement some additional JS so that the form can't even be submitted without JS enabled. Of course this may block a small number of potential users, but that's OK since you will be protected from hackers, right? Nope. A malicious user can simply view/copy the source code for your page and recreate the form himself without any javascript and ensure it can be submitted with whatever values they want. As stated above, you must always validate user input on the server-side. JavaScript provides a nice way to give the user immediate feedback without having to submit a form. But even if you have javascript validation, all bets are off once the form submission is received. Quote Link to comment Share on other sites More sharing options...
Reaper0167 Posted June 24, 2009 Author Share Posted June 24, 2009 I read everywhere are it says that the best way to do this is with your POST data, and to use mysql real escape string. Is this the best way? Are there any good sites that give detailed examples on exactly what to do? Quote Link to comment Share on other sites More sharing options...
xtopolis Posted June 24, 2009 Share Posted June 24, 2009 http://www.phpfreaks.com/tutorial/php-security This has a good primer for basic PHP security. Read that and then search on those topics if you need more info. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.