So I posted a question the other night and an interesting reply got me to thinking. I've always done things a certain way and I try to be as safe as possible but I'm wondering what else I could be doing. This isn't related to a specific piece of code so much as a concept.
The layout is jQuery/PHP. Standard HTML and CSS.
Scenario
I write a signup form. The form includes email, password, first name, last name, zip code.
When the user submits, jquery picks it up, prevents default and submits for validation through ajax. On the php side, I'm going to verify lengths, symbols, values, etc to try and get the best possible read on the data. If it works, I continue with the signup. If a flag is tripped, I return a JSON string that has a message, an error status and other relevant information. I'm doing it this way instead of checking the jquery because of the ability for the user to open the script and make changes.
On the php side, I can only work with the information that is received. I use POST and I only call for the variables that I'm looking for. Nothing can be added to the php this way...at least not easily. I'm also using PDO and prepared statements for inputting to the db for an extra measure of security.
My question is this. When you guys are validating data, what other steps do you take to prevent security breaches? I only know what I know so this is why I ask. I'm always looking to make my code better. Obviously there are a dozen functions I can use like striptags, strip_slashes, etc but I'm really curious what everyone else does in case there might be something I could be doing better.
I tried google but looking for validation and error checking really just returns the obvious broken scripts and code snippets but not much in the way of conceptualizing a better way of doing things. Just looking for some general feedback. Thanks!
Related
I have researched APIs and I generally understand how they work and how to use them (HTTP request to API, get data and parse it, etc.), however, for my project I need to use data that I collected myself so I can't just use another database for example. I'm quite new to this so I don't understand a few things. I'll try to explain my plan as clearly as possible. Please let me know if any additional explanation is required.
I have an HTML form which can be filled out and saved. This form is not supposed to be local, but rather on a server
I read a lot about XML-files and API's and I also saw many similar questions on here but I'm not sure what applies to my instance.
I wanted to store the information from the form in an XML-file. Some people said, that this could be done with JavaScript, some people said this would require some server-side script. What applies in this case? I would guess that I need a server-side script but as I said, I'm kinda at loss here.
I thought I could simply use JavaScript to store whatever is entered into the form and use python or php to create an XML-file in which I store this information. This XML-file would then be used by the API. This is were I have trouble understanding.
The edited form is supposed to be saved (on the server I guess, so several people can access it), so you can go back to it later and edit it again. How exactly would I implement an API here? Can I just "make" my own XML-file, which the API uses as database? Is there any better way to do this?
I know this probably seems like a stupid question but I really want to understand this so bear with me. I'm very much overwhelmed by this task so I appreciate any help.
While looking for a way to speed up form validation on a large number of fields I build my own library of php validation functions to be re-used across multiple websites. I am now trying to avoid duplicating these rules in javascript without sacrificing user-friendliness.
I am thinking of storing attempted inputs in a $_SESSION['attempted_inputs']
Upon failed server-side validation, user would be redirected back to the original form where an error message will be printed and all fields will be prefilled with attempted inputs, thus eliminating the need for JS validation.
Assuming attempted inputs will be properly sanitized upon saving and server resources are not a concern on my clients small-scaled applications, what could be the downsides of using this method instead of a classic js client-side approach ?
Thanks
Downsides:
Unnecessary start/save/delete of the session. The GC process could do a lot of unnecessary work. You could use a POST back style instead of session saving. I know you said you don't care about performance, but this could bite you back someday.
Slower validation. Going back and forth with the form isn't a nice UX. If you can say what's wrong before posting it, you should do it.
If i can think of more downsides i'll edit my answer.
While this is not the right place to ask for concepts, I just wanted to give you a quick heads-up.
You should always validate your inputs on the server side. Manually changing requests these days with tools as the developer console, makes your application really vulnerable to many kinds of attacks.
i have made a simple php contact form following this tutorial:
http://www.catswhocode.com/blog/how-to-create-a-built-in-contact-form-for-your-wordpress-theme
The big problem is that this form processing is not safe, I have heard people can use it to send spam and/or hack my server.
What are the basic steps needed to make this form more secure?
Ps: I don't want to use re-captcha if it can be avoided...
Edit: I need suggestions to what php functions are used to filter and secure that the form is submitted "the right way" and not altered and/or used to hack my site or send email to other people (using the site to send spam to other people). Do i just need to use strip_slashes? or is there a better way?
One way: If you're not a huge site, it's not likely anyone is going to figure this out/take the time to.
You could use some tricky JS to handle tokens on click. So your server issues token-id's to clickable/focus-able elements on the page during the backend render phase. Log these in a database or data file. Then, when users click around and submit, you can compare the id's sent via the onclick() function. You could also apply some heuristics to determine if the history of clicks is reasonably paced. Posts are too fast to be a human or not, that is, even if they scripted the hijacking of the token-ids and auto submitted, you could check that the time between click events appears automated. Signed up for a twitter account lately? They use passive human detection that while not 100% foolproof, it is slower and more difficult to break. Somebody would REALLY want to hack/spam your site.
Important Step 2: strip out/URLEncode strange characters if you think this will break your page. common ones that break things are " and ' and :
Another Way: http://areyouahuman.com/
As long as you are using encrypted methods verifying humanity without crappy CAPTCHA is possible.I mean, don't ignore your headers either. These are complimentary ways.
The key is to have enough complexity to make for an NP-Complete problem. http://en.wikipedia.org/wiki/NP-complete
When the day comes when AI can solve multiple complex Human problems on their own, we will have other things to worry about than request tampering.
http://louisville.academia.edu/RomanYampolskiy/Papers/1467394/AI-Complete_AI-Hard_or_AI-Easy_Classification_of_Problems_in_Artificial
Another company doing interesting research is http://www.vouchsafe.com/play-games they actually use games designed to trick the RTT into training the RTT how to be more solvable by only humans!
Here's a great article on NP-Hard problems. I can see a huge possibility here: http://www.i-programmer.info/news/112-theory/3896-classic-nintendo-games-are-np-hard.html
What is the point in validating your HTML forms using Javascript, if you are always going to need to validate the forms using PHP anyway? I realize that you get a speed boost from this, and its more convenient to the user, but beyond that, is the time spent on it worth it? If anyone has any good evidence on this I would love to hear it.
Thanks for any help!Metropolis
UPDATE
After receiving numerous answers I would like to change the question a little. We all know that javascript is much more convenient for the user and it gives faster feedback. What I am wondering is: Has anyone ever seen any "evidence" that its worth it? Or do we just do it because it makes things a little better and everyone says we should? The speed difference is not that significant, and as the internet gets faster javascript validation will become even more obsolete I would think.
I am starting to wonder if the time spent validating a page using javascript could be better spent.
Ideally, you validate through javascript and (in your case) PHP.
Both validation methods will work in-tandem to ensure you get the most robust and user friendly functionality possible for your end user.
You will use client-side validation to ensure that all fields are filled in, email addresses are valid, etc.. this will provide instant feedback and won't burden your servers or the user's internet connection.
you validate server-side for security. You can control everything on the server and nothing on the client machine. It's here that you ensure that all entered data is non-malicious and correct.
Keep this in mind: if you are only going to go with one type of validation, choose server-side validation because it is more secure. You should never rely on client-side code for any kind of security.
Using both types of validation gives you the best of both worlds (responsiveness and security) while having none of the downsides. Of course, this means you have to write more code, but in my opinion, it's worth it.
EDIT: In response to the comments
Yes, you have to write more code this way... As a rule of thumb, if it's harder for the programmer, it's easier on the user. It might not make sense in some budgets to do both types of validation and that's a call you're going to have to make. Just make sure your server side validation is rock-solid regardless.
Yes, time is money, and time invested in improving the user's experience is time well spent. If you can't afford to do it now (deadlines/schedule/budget) then do it when you can.
It's all about usability. It is much more convenient for the user to read what errors they have made before the page reloads, rather than continuously submit and reload the page. It can also give a nicer look with some AJAX and the likes, rather than a reload of the page and the very ugly looking red error messages, I think. So the advantage? Much more usable than having server side validation alone.
To provide a better user experience.
The feedback on JS validation is faster, and therefore better than server-side validation on form submit.
The main point of JavaScript validation (when available) is that it improves the user experience. A round-trip to the server requires a page load and the associated annoying flicker as it redraws. Validating in JavaScript code allows you to display a message without all that.
That being said, server-side validation is still required since JavaScript isn't always available (NoScript is quite popular) and because a malicious user will bypass the JavaScript.
Particularly for database backed websites, it tends to be that you need to do server side validation anyway. e.g. to make sure you're inputting valid data into a database or other system. Depending on what the website is updating this could be absolutely critical.
However, client side validation can provide a better user experience. It can be used to provide instant feedback. e.g. when you move focus away from a text box a validator can provide instant feedback which is great when you're filling in a long complicated form.
The bottom line is that you will still need to input good data into your database. And the more correct the information stored in there, the less problems with the system you'll have later. You need both.
e.g. What if someone updates the website code in the future and breaks the validation? or someone writes a script to automate inputting data, bypassing your web front end all it's validation?
I'll say it again. You need both.
...i think you're also keeping your karma cleaner, when hundreds or thousands of your users don't wish you burn in hell for making them fill in 5-7 fields (with textarea) to be informed on the next page they mistyped their email so they have to start all over again :D
it doesn't eat up much of my time to incorporate javascript, id say 1-2 minutes maximum for 1 form. and it saves lots of nerve cells of my users. be a humanist! love ur neighbour!))
Client-side validation allows for an increased user experience. The feedback you give to the user leads to less frustration, less errors, more conversion, more money.
You generally have a better response rate with this kind of validation, which is very valuable.
An high quality software needs this. Users feels happy, and they will spread their joy. A user who has a bad experience won't come came and won't tell his friend.
It's not only decoration when you get to business and sales. ;) The return on investment is worth it.
Easy.
Javascript to help the user enter correctly formatted data.
PHP to make sure whatever enters your script gets cleansed before further processing.
Ofcourse you'll have to do both. Users want it, your customers want it and frankly, you think it's fugly getting php errormessages after submit aswell.
I don't think the argument of having to code extra .js which presumably would eat up your time/budget holds any thruth. There's so many libs and scripts outthere, either one will enable you setting up disco validation in no time at all. However, don't get carried away with dealing out eye candy. .js validation is just there to help. Not to impress.
PHP runs serverside, javascript runs clientside. You don't want your server crunching form validation when you can get the clients computer to do so. Plus it saves bandwidth.
Currently I'm wondering if there is a way to post to a website using captcha for a human-check. The following question is asked, ofcourse this is done with random numbers:
Type this number in digits; 'twohundredandfive': [ input ]
The form is sent using AJAX. So when reloading the website the number to be typed changes.
A way to get pass this is reading and converting the number, then post some data, but at the second request the number already has been changed (which is good). But IS there a way to avoid this?
Don't think I'm using this for bad intensions, the described form is used in one of my applications. It is just a check to get sure bots can't get pass.
Thanks so far :-)
A CAPTCHA should test whether the entity solving it is human. To my eyes, the problem you are setting looks like it would be fairly trivial to solve algorithmically.
Given that a human can pass the test, then it's certainly possible to write an automated bot which will pass it too. As to whether there is a "back door" which allows access without solving the CAPTCHA, only you can decide that by analysing your source code.
I hate CAPTCHAs. More often than not, they are unreadable to humans as well :)
I heard one Microsoft researcher offer the following scheme: put 4 pictures up, 3 of little puppies, one with a kitten. Ask the user to click the kitten. With a large enough sample base, you can create a random picture/question any time the page refreshes. No one will bother developing an algorithm to analyze photos to that degree.
read this post for another interesting idea.
Converting strings to numbers has already been discussed in another question where many references to the google calculator were given, which does a great job in such conversions, so your approach is not suitable for testing whether your user is human.
As for an alternate solution, I can only link to another great answer.