HI,

Mysupervior wanted me to write a generic validation script or program or function that would validate all the forms on our website.

Now I know there are all these stuff you could check, for example, checking the input, manipulate the input data carefully, and provide appropriate people access to that data. But the difficult part is, without knowing what the form is about (since I didn't write all the forms), do you guys have any idea on how to write a generic script that would secure web forms, generally? Thanks a lot

Kelvin

    There is no way for you to do this generically. Since all of the data you get back is in string format there really isn't a way for you to check that the information in that string is correct.

    Now if all of your forms were re-written to hold a bunch of hidden fields that described the entry fields that your users had access to, you could build something to use that hidden data to validate the user data. This would take some doing to build correctly, and you'd probably have to build a form generator also that would create the correct HTML code so that then description code would get created properly.

      The closest thing that you could do is use javscript to run through every field on your page = there are ways to cycle through them all - and place a type of valiadation on that - otherwise you're pretty much screwin the pooch.

      Cheers

        Originally posted by simply•skewed
        The closest thing that you could do is use javscript to run through every field on your page = there are ways to cycle through them all - and place a type of valiadation on that - otherwise you're pretty much screwin the pooch.

        Cheers

        that can also be done with PHP, there is an array created called $_POST when you post the form, you can then loop thru the array, and check the fields however you would like, with regex, pcre (perl compatible regex) or any other way you want, striptags, htmlentities, str_replace, is_numeric, etc....

          Right but when using PHP you won't be able to validate the specific data fields. i.e checking that a value was entered between 1-18. To do this you will need to have more information than what is supplied in the $_POST variable.

            i don't understand what you mean

            all you do is loop through the $_POST array, and lets say you have a field called number from the form, then when you loop thru the posted array, which will always be there, there will be a key/value pair like

            number/15

            so $_POST['number'] would equal 15

            if you do a print_r on the $_POST array you will see all posted fields with their key/value pairs

              Originally posted by simply•skewed
              The closest thing that you could do is use javscript to run through every field on your page = there are ways to cycle through them all - and place a type of valiadation on that - otherwise you're pretty much screwin the pooch.

              Cheers

              Thanks for your comment! But the thing with javascript though, it is only good for fast front end valiadation. I mean a hecker can easily get around it, if the validation was done JUST with javascript. let's say for example you have a function in javascript called validate(thisform), you would run it on the form like this right? :

              <form blah bah blah.......onSubmit"return validate(this)">

              well, a hacker can just look at the source code, and just take away that, so taht when the form is submitted, it won't run that function.

              I tried that before and my supervisor told me they have a way around that, I didn't know before either.

              THanks for your suggestion anyways!

                Originally posted by stolzyboy
                that can also be done with PHP, there is an array created called $_POST when you post the form, you can then loop thru the array, and check the fields however you would like, with regex, pcre (perl compatible regex) or any other way you want, striptags, htmlentities, str_replace, is_numeric, etc....

                Thanks stolzyboy! I actaully though of that, just do a foreach look with the $_POST array and do the checking.

                THe only thing is, well, without knowing the information or the purpose of the form, I won't know what to check. For example, if I say, I want to restrict the length of the fields to be 500 chars. But then I don't know if this is an appropiate maximum length for the fields.

                I guess the only difficult part about this is that it has to be generic. I don't even know if it is possible. Someone suggested that maybe I can add some hidden fields that would carry information about that particular field. But that, I need to make sure every programmer write a hidden field for each of the fields in their form.

                One thing I was thinking of was, maybe I can check for things that has nothing to do witht he content of the form. I really have no idea.

                But thanks a lot for all your help, any more suggestions are welcome 🙂

                  I love PHP and use it whenever possible but we have to be practical as well. Client side - and Server side right?

                  Just a note though you may want to consider - whereby the javascript is only client side - we all know this - and it works efficiently enough for a quick validation - if you're using PHP, you have to be sure you want to go back to the server everytime to validate your fields - depending on the connection speeds of your clients and the server workload - [you should under normal circumstances be fine] but it may cause an annoying wait period. And you'll have to go through it again... and again.

                  The hacker thing - sure - I respect the fact that javascript is only client side and source can be attained - but what type of form are you securin? The worry usually comes when a hacker access' source you've written on the server. A form validation doesn't usually pose to much of a threat... unless you put stoopid stuff in your script.

                  Again not entirely sure of what you're securin or checkin - but just a thought. Going back to the server for nothing - is like going to a store buying a can of soup when ya had the same thing at home.

                  Bonne Appétit

                    I guess the only difficult part about this is that it has to be generic. I don't even know if it is possible. Someone suggested that maybe I can add some hidden fields that would carry information about that particular field.

                    what exactly did your employer specify?

                    you might want to write a module or class that is generic enough to fulfill the company's data validation needs, i.e. it can be applied to "all the forms on (your) website".

                    it works efficiently enough for a quick validation

                    The rule of thumb concerning incoming data is not to trust it.
                    Forms can be altered and used for malicious purposes, HTTP_REFERER can be spoofed, "hidden" form elements arent particularly hidden, etc.

                    Clientside validation is okay, but you must always include serverside validation.

                      True - All incoming data should be considered malicious. As I mentioned before - I'm not sure whats being validated here - or what may be potentially validated... but laserlight did make a good point that forms may be altered for unknown intent.

                      Think it comes down to a combo of everything mentioned to date.

                      Validate incoming client side - validate server side - I think for you to properly attain your goal of a generic validation - your employer would have to provide you with more information - possibilities - what they forsee - until you're fully informed you may be busting your head for nothing. As you mentioned using the foreach - you dont know what to validate for. You answered it yourself. Ya need more information 😉

                      Cheers

                        Write a Reply...