Jump to content

Bypassing Javascript functions

gocondo

By gocondo
in PHP Coding Help

 Share

Recommended Posts

gocondo Newbie

gocondo

Posted
Posted

Does anyone have an example for PHP subscription code? I used Javascript to validate the subscription form and PHP to update the mailing list in my Toronto condo website, but lately some hackers were able to subscribe and bypass the Javascript validation function. How they did it?

 

I wouldl ike to use only PHP for the subscription to avoid this problem.

Link to comment
https://forums.phpfreaks.com/topic/219773-bypassing-javascript-functions/
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Javascript is NOT validation. All I have to do is disable javascript in my browser, (hint: spambots don't use javascript) and I can send any values I want through your form. Validation must be done server-side.

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Using JS in a form should be viewed as nothing more than a convenience for the user, although if it's done improperly, it can become a huge inconvenience instead.

 

You should always assume that any JS used to check form input is not going to work at all, and perform the validations server-side. If the validation routine detects errors server-side, you can then redisplay the form with the values already filled in, and any errors highlighted so the user can make needed corrections and resubmit it.

 

Here's a (somewhat stripped down) example that you can paste into a file and mess with. Enter the wrong values in the fields and see how it handles the errors.

<?php
if( $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted
$errors = array(); // initialize an array to hold validation errors
array_map('trim', $_POST); // trim all $_POST array values

if( !empty($_POST['name']) ) { // validate the name field
	if( !ctype_alpha($_POST['name']) ) {
		$errors[] = 'Name must be alphabetic characters only.'; // if name has non alpha chars, store error
	}
	if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) {
		$errors[] = 'Name must be from 3 to 20 characters.'; // if name has too many/few chars, store error
	}
} else {
	$errors[] = 'Name is a required field.'; // if name is empty, store error
}

if( !empty($_POST['number']) ) { // same validations as in name, above.
	if( !ctype_digit($_POST['number']) ) {
		$errors[] = 'Number must be numeric.';
	}
	if( strlen($_POST['number']) < 5 || strlen($_POST['number']) > 20 )  {
		$errors[] = 'Number must be from 5 to 20 digits. It is currently ' . strlen($_POST['number']) . ' digits';
	}
} else {
	$errors[] = 'Number is a required field.';
}

if( !empty($errors) ) {  // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form
	echo "<font color=\"red\">The following errors were detected";
	foreach( $errors as $value ) {
		echo "<br>$value";
	}
	echo '</font>';
} else {
	echo "<font color=\"green\">Congratulations, no errors detected!</font>";
}
}
?>
<form method="post">
Name (3-20 letters): <input type="text" name="name" value="<?php echo isset($_POST['name']) ? $_POST['name'] : ''; ?>"><br>
Number (5-10 numbers): <input type="text" name="number" value="<?php echo isset($_POST['number']) ? $_POST['number'] : ''; ?>"><br>
<input type="hidden" name="submitted" value="yes">
<input type="submit" name="submit" value="Submit">
</form>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.