use javasript to secure my php script

[Reaper0167]

I have a registration form which uses some javascript to make sure the form is filled out correctly. I don't see why I couldn't use some javascript to help keep out certain characters to prevent hackers from messing with my site or database.?.?. Any knowledge of this subject would be appreciated. Thanks.

[Reaper0167]

Something like this? Everything works great(username required, username needs to match) Just the special characters are not allowed. If found the special characters part of this online, but can't get it to work properly.

<?php
<script type="text/javascript" language="javascript">
function validate(form2)
    {
    var valid = true;
    var iChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?";
    	
if (!form2.username.value || !form2.username_conf.value || iChars.indexOf(document.form2.username.value.charAt(i)) != -1 )
    {
        document.getElementById('username_error').innerHTML = 'You must enter a username and confirm it. No special characters.';
        valid = false;
    }
    else if (form2.username.value != form2.username_conf.value)
    {
        document.getElementById('username_error').innerHTML = 'Usernames do not match.';
        valid = false;
    }
    else
    {
        document.getElementById('username_error').innerHTML = '';
    }
</script>

[PFMaBiSmAd]

Hackers don't really care what you do in your form because they submit data directly to your form processing code. So, no that won't add any security to your site.

[Reaper0167]

thanks for the reply.

[Reaper0167]

how about the onKeyPress attribute ?  Only allowing letters and numbers to be accepted into a text field. Could that distract a possible hacker ?  And what do you mean by form processing code?  My php script itself ?  I'm reading everything I can online and this still bothers me about having a somewhat secure site.

[xtopolis]

Pretend your form doesn't exist, that's how the hackers see it.

 

Javascript is mainly for assisting the user, but certainly not fit for securing a form.  Where ever your code is that accepts the values $_POST['username'] etc is where you you want to be secure in your processing.  Validate using regex, strlen, etc to ensure you get expected inputs.

 

Also, I notice in your codebox it says "<?php  then <script"  is this a typo?

[Reaper0167]

yes , sorry

[Reaper0167]

but if they can't type special characters or spaces into the text boxes, then to inject anything, they would have to enter it in the url, correct? Sorry for getting off subject.

[Psycho]

To hopefully give a littel more insight, I'll give a couple examples.

 

1) User access your form which has javascript to prevent certain characters in the username and will prevent form submission with a friendly error message. Good right? Ok, then the user access the browser options and turns off JavaScript. User is now able to enter anything they wish and submit the form. Uh oh!

 

2) You have the above code, but implement some additional JS so that the form can't even be submitted without JS enabled. Of course this may block a small number of potential users, but that's OK since you will be protected from hackers, right? Nope. A malicious user can simply view/copy the source code for your page and recreate the form himself without any javascript and ensure it can be submitted with whatever values they want.

 

As stated above, you must always validate user input on the server-side. JavaScript provides a nice way to give the user immediate feedback without having to submit a form. But even if you have javascript validation, all bets are off once the form submission is received.

[Reaper0167]

I read everywhere are it says that the best way to do this is with your POST data, and to use mysql real escape string. Is this the best way? Are there any good sites that give detailed examples on exactly what to do?

[xtopolis]

http://www.phpfreaks.com/tutorial/php-security

 

This has a good primer for basic PHP security.  Read that and then search on those topics if you need more info.