TalkPHP - alternative to die() function and echo?

TalkPHP (http://www.talkphp.com/forums.php)

- General (http://www.talkphp.com/general/)

- - alternative to die() function and echo? (http://www.talkphp.com/general/2661-alternative-die-function-echo.html)

alternative to die() function and echo?

hi, is there an alternative to writing die functions in something like this?

Code:



if(isset($_POST['submit'])) { 



if(!$_POST['txt_username'] || !$_POST['txt_password'])



  { die('the username or password was not entered'); } 

}

would i be needing to learn javascript to test for empty textfields.. what im wondering is how secure can that be?
because what if someone were to grab the forms action url and make himself a local file on his desktop calling the form on his local pc with sql injection or xss.

this is what i mean

Code:



localpage.html



<form method="post" action="domain.com/forms.php">

<input type="text" name="txt_username" value=">'><script>alert('xss');</script>">



<input type="text name="txt_password" value=">'><script>alert('xss');</script>">

<input type="submit" name="submit" value="submit">

</form>

my example matching might not make sense but pretend the code i gave above is something that relates to this last peice of code.

I would use Jooney to send the form across with ease but if you wanted to do it without a framework it would be something like this

Quote:

Quote:

<form method="post" action="domain.com/forms.php" onSubmit="javascript:validate();">
<input type="text" name="txt_username" value=">'><script>alert('xss');</script>">

<input type="text name="txt_password" value=">'><script>alert('xss');</script>">
<input type="submit" name="submit" value="submit">
</form>

then you take your form and do this

You could alternatively use your own error handler in conjunction with trigger_error() instead of die() if all you're doing is looking for another way to show that something went wrong.

Never trust javascript to do anything that you need to make sure is done. Especially form validation - take care of everything server side, then if you want to add additional "usability", work your javascript or ajax into it afterwards.

Frameworks. Pssht. :-D

It sounds like you're asking how to validate a form field, more than how to return the error from it though, is this correct?
-m

Quote:

Originally Posted by delayedinsanity (Post 13650)

yea, i want to know the best way to validate the form kind of like how people are doing it out their with javascript or ajax. but what im wondering is if i did use javascript and didnt use validation server side the hacker would find a way to bypass the javascript. let me explain by what i mean with all this. let me show you a sample piece of code and how a hacker would bypass the javascript. i'll use xss for my example instead of sql injection since i dont know much about it.

example of a form

Code:



<?php

require("config.php");



if(isset($_POST['submit'])) { 







#---------------------------------

#check if username entered exists

#---------------------------------

$username = addslashes($_POST['username']);

$query_user = mysql_query("select username from tbl_users where username = '$username'");

if(mysql_num_rows($query_user) == 0) { die("the user name you entered doesnt exist in the db"); }







#---------------------------------------------------

#check if username and password entered is correct

#----------------------------------------------------



$username = addslashes($_POST['username']);

$pass = addslashes($_POST['txt_password']);



$query = ("select username,password from tbl_users where username = '$username'");





while($row = mysql_fetch_assoc($query)) {



$pass = addslashes($_POST['txt_password']);

if($row['password'] != md5($pass)) { die(''); }



}







#---------------------------------------------------

#if all is good add cookie and login

#----------------------------------------------------





$pass = md5($_POST["txt_password"]);

setcookie("login", $username, time() + 360);

setcookie("password", $pass, $hour);



}



?>

<html>

<head>



function validatefield() { 



//code to validate form in javascript

// i didn't put it because i dont know javascript that well





</head>

<body>



<table>

<tr>

<td>User name:</td>

<td><input type="text" name="txt_username"></td>

</tr>



<tr>

<td>password</td>

<td><input type="password" name="txt_password"></td>

</tr>

</table>



</body>

</html>

so something like this that validates the form using javascript. what if i saw this page online and made this in notepad

Code:



<form method="post" action="http://www.domain.com/form.php">

<input type="text" name="txt_username" value=">'><script>alert('xss');</script>"> <br>

<input type="text" name="txt_password" value=">'><script>alert('xss');</script>"><input type="submit" name="submit" value="submit"> </form>

then when i load the page and press submit the xss or sql injection goes through and since there is no validation on the server side wouldnt this just bypass all security testing and get in. i know the addslashes function exists and that would take care of symbols being entered. but im still wondering :)

lol i dont know how i went from asking one question to changine the question :p i need rest lol

Hi
An attacker can bypass your javascript validation by creating a program(script) that will send a post header to the file you specify in <form action="file.php">
Or the easiest method I guess is deactivating javascript support in his broqser :)
javascript is never reliable on security, but you can implement javascript validation just to show users that the name, email or whatever they entered is not wrong, so they don't have to wait the whole reload for your php script to tell them this.
In the example above, there is no xss because you don't show the input variables in the browser, however the sql inj, might work

There's a couple things you're going to want to do when you accept a form, and a lot of resources for reading a variety of different ideas on how to get it done. I could post you the methods I use to sanitize and then validate data when it comes in through a form, but honestly when it comes to security I think it's something you really should understand fully what you are accomplishing, otherwise the opportunity for something to slip through is rather huge.

Generally the process takes atleast a couple steps;

1. Sanitize all incoming data. This is where you catch most xss and sql injection type vulnerabilities by cleaning your form data of any corrupt or malicious entries. Check out such functions as trim(), htmlentities(), htmlspecialchars(), strip_tags(), and addslashes(). Also be sure to read up on magic_quotes_gpc when you get to that last one, as some servers mistakenly have this turned on, requiring you to do some extra coding in order to deal with it.

2. Validate incoming data to make sure you're getting the right kind. Again, there's various ways of doing this, such as using ctype functions, preg_match(), filter_input() and filter_var(), or completely writing your own from the ground up (though that usually requires some regular expresssions and preg_match() anyways.)

Once again, never trust javascript. Never. Ever.
-m

PHP Code:


		
			




<?exit('we killed in your script, sorry');?>

Code:

class Kill extends Homicide {

   var $human;

   var $orc;



   while ($fighting) {

      switch ($attack) {

         case "$this->orc": parry($this->human); break;

         case "$this->human": block($this->orc); break;

         default: $stalk($eachother);

      }

      if (isset($dead)) { die("aaaaAAAaaaaAAAUUURRrrrgHHHhhhh"); }

   }

}

I omitted a lot of $this and $that on purpose, of course...