This question already has answers here:
JavaScript: client-side vs. server-side validation
(13 answers)
Closed 4 years ago.
Im currently working on a register form, and I decided to add some required fields, like email, password etc..
The only validation i want to do on the required fields is simply not null, so i used the required attribute inside of an input element.
Is this safe? Or do i need to use additional PHP validation?
A server side validation is better (if we can't even say needed), and it's really easy to make.
Here's an example if needed :
if(!empty($_POST['pseudo']) && !empty($_POST['password'])) {
//Prevent SQL injection (if you use DB here)
$pseudo = addslashes($_POST['pseudo']);
$password = addslashes($_POST['password']);
}
addslashes() isn't the best way but work on any DB engine, for example it's better to use mysql_real_escape_string() if you have a MySQL engine.
And the associated form :
<form method="post" action="#">
<label for="pseudo">Identifiant</label>
<input type="text" name="pseudo" required>
<label for="password">Mot de passe</label>
<input type="password" name="password">
<input type="submit" value="Connexion" required>
</form>
Using a webpage to send you a form is not the only way in form sending.
Someone can sends you forms with other devices or can skirt your required fields and send you empty data or undesirable data like PHP Injections.
You should make a server side validation.
It might be safe, as far as the most recent browser fully support the attribute. But I don't know what happen if someone use an old version of a browser, so if you're scared about that, a PHP validation won't be too much.
If you want a good example of a registration form, just ask me in private, I'll send it to you !
Related
I'm building a small website where I'll be the only user (let say my credentials are "myuser" with the password "mypassword"). In the login page I have this simple form:
<form method="post">
<p>Username: <input type="text" name="usr"></p>
<p>Password: <input type="text" name="passwd"></p>
<p><input type="submit" value="Login"></p>
</form>
Is it safe to just validate the form like this?
// After checking if the request is POST...
if($_POST["usr"]=="myuser"&&$_POST["passwd"]=="mypassword") {
// Set the cookie and go to admin page...
} else {
// Show login error...
}
Or do I need to apply some security measure to the two $_POST variables (e.g. by filtering them with htmlspecialchars or something like that)? As you can see, the credentials are not saved in a database, and also these variables are never called anywhere else in the code, so I don't see any danger even if a malicious user attempts to hack the form with SQL Injection or XSS.
So, did I miss something? Is there any potential danger in leaving the code like that?
I think it is fine, you can add a hashe function & something to prevent a brute force attack to secure a little more. :)
(Sorry can't comment yet)
With php we can use mysql_real_scape_string(), this function have a parameter that modify a string deleting the special chars. This function returns a secure string, now we can execute this string into a SQL query.
I have the following input in a form
<input name="email" type="text" id="email"size="50" english="Email address" />
I have a custom tag called english, My question is can I send this as post data and can I recover it on my new page ?
Any help would be much appreciated , Thanks
If you use JavaScript to submit your form, you can read you custom tags' values ad append them to the form data to send. Otherwise, clean HTML form just submits only input tags value.
The best method I can think of right now is to have hidden field with the label as value. Like
<input name="email_label" type="hidden" id="email_label" value="Email address" />
The short answer is: no. The post data received from the HTML in your question will be an array with email as the key, and whatever the user typed as the value.
The solution depends on the problem you're trying to solve. Consider using a hidden input tag instead. For example:
<input name="language" type="hidden" value="English" />
Alternatively, a neater solution would be to store the language in the session (assuming that does what you need). You should never rely on the front end of a website "telling" the back end stuff like this, at least to a certain degree. The back end should just "know".
I have a HTML form inside of a PHP file and I am trying to validate this form using Jquery. To my dismay,I am not able to have the form validated before the page is summited, ie refreshed. Furthermore, I have use seveal different plugins and I do not get any notifications of any kind. Here is the form as is:
<div id="contactRight">
<form method="post" action="form.php">
<input type="text" class="required" id="first" value="First*" ></input><br/>
<input type="Last Name" value="Last*" id="lastname"></input><br/>
<input type="text" value="Email*" id="email"></input><br/>
<textarea id="subject" id="subject">Subject*</textarea>
<input class="submit" type="submit" value="submit"></input>
</form>
Using the bassistance validation plugin it says that you can give your inputs a class with a value of "required" causing the validation plugin to kick in. I am overfly frustrated with my attempts of making this form work. More so, using HTML 5 is catastrophic, I do not receice any notifications of any input fields not being filled in. Is there a different approach I should be taking?
If you want to use HTML5's native form validation, do the following:
for input fields requiring a value, add required attribute in the input tag
for checking email, the input tag should have a type attribute as 'email'.
for other sorts of pattern matching, use pattern attribute with regex.
Reference:
https://blog.mozilla.org/webdev/2011/03/14/html5-form-validation-on-sumo/
http://www.developer.nokia.com/Blogs/Code/2012/11/21/creating-a-custom-html5-form-validation/
BTW, If you want to disable this native form validation, add novalidate attribute in form tag.
I have discovered the problem, I can add a placeholder tag which will allow me to keep the values empty. I had values, so the validator was working as expected. Silly Me. My next question though, is the placeholder tag applicable in all other browsers?
As of now I am validating my inputs using this type of approach
<form method="post">
<label>Email</label>
<input type="email" name="user_email">
<input type="submit" name="reg">
</form>
if(isset($_POST['reg']){
$result = checkEmail($_POST['email']);
//checkEmail() is my function to check email, if it returns true it has duplicate
if($result){
echo '<p>E-mail already exist!</p>'
else{
//something to do in this..
}
I have seen some website after I type the email it automatically updates and i want to learn how to that without using any frameworks since I am just a starter, i just want a simple code. Any suggestions or advice on how to do it? Thank you :)
You'd have to use Ajax for that. To use Ajax natively is a lot of work though, you'd have to care for different browsers and a lot of ground work which can be taken care of by using a lightweight javascript libraries like jQuery. Using jquery together with an excellent plugin like Validate you can achieve what you're looking for. They have a working example of what you're trying to do at this demo page
I'm sorry but I think you'll need to use some AJAX code, HERE
I found a very interesting code.
How can I ref-fill posted form data via PHP in the event of an error. I have a contact form and the user enters a bunch of information and if one field doesn't validate, he loses everything. How can I stop this from happening and make sure it is secure?
I've tried this, but believe I read somewhere it is not secure:
<input type="text" name="name" value="<?php echo $_POST['name']; ?>" />
One issue is that if $_POST['name'] contains a ", then the value can 'escape' out and rewrite the page content.
Another is that with strict error checking switched on, accessing a non-existent array index will throw a Notice error.
Here is one safe way of re-filling the form data:
<input type="text" name="name" value="<?php echo isset($_POST['name']) ? htmlspecialchars($_POST['name']) : ''; ?>" />
I would personally recommend handling form display and validation through a framework, like Zend_Form within the Zend Framework. (You won't have to change everything else across just to use the form stuff) It makes writing safe and readable code much easier.