04-20-2008, 06:34 AM
|
#4 (permalink)
|
|
The Addict
Join Date: Jan 2008
Location: los angeles
Posts: 309
Thanks: 44
|
Quote:
Originally Posted by delayedinsanity
You could alternatively use your own error handler in conjunction with trigger_error() instead of die() if all you're doing is looking for another way to show that something went wrong.
Never trust javascript to do anything that you need to make sure is done. Especially form validation - take care of everything server side, then if you want to add additional "usability", work your javascript or ajax into it afterwards.
Frameworks. Pssht. 
It sounds like you're asking how to validate a form field, more than how to return the error from it though, is this correct?
-m |
yea, i want to know the best way to validate the form kind of like how people are doing it out their with javascript or ajax. but what im wondering is if i did use javascript and didnt use validation server side the hacker would find a way to bypass the javascript. let me explain by what i mean with all this. let me show you a sample piece of code and how a hacker would bypass the javascript. i'll use xss for my example instead of sql injection since i dont know much about it.
example of a form
Code:
<?php
require("config.php");
if(isset($_POST['submit'])) {
#---------------------------------
#check if username entered exists
#---------------------------------
$username = addslashes($_POST['username']);
$query_user = mysql_query("select username from tbl_users where username = '$username'");
if(mysql_num_rows($query_user) == 0) { die("the user name you entered doesnt exist in the db"); }
#---------------------------------------------------
#check if username and password entered is correct
#----------------------------------------------------
$username = addslashes($_POST['username']);
$pass = addslashes($_POST['txt_password']);
$query = ("select username,password from tbl_users where username = '$username'");
while($row = mysql_fetch_assoc($query)) {
$pass = addslashes($_POST['txt_password']);
if($row['password'] != md5($pass)) { die(''); }
}
#---------------------------------------------------
#if all is good add cookie and login
#----------------------------------------------------
$pass = md5($_POST["txt_password"]);
setcookie("login", $username, time() + 360);
setcookie("password", $pass, $hour);
}
?>
<html>
<head>
function validatefield() {
//code to validate form in javascript
// i didn't put it because i dont know javascript that well
</head>
<body>
<table>
<tr>
<td>User name:</td>
<td><input type="text" name="txt_username"></td>
</tr>
<tr>
<td>password</td>
<td><input type="password" name="txt_password"></td>
</tr>
</table>
</body>
</html>
so something like this that validates the form using javascript. what if i saw this page online and made this in notepad
Code:
<form method="post" action="http://www.domain.com/form.php">
<input type="text" name="txt_username" value=">'><script>alert('xss');</script>"> <br>
<input type="text" name="txt_password" value=">'><script>alert('xss');</script>"><input type="submit" name="submit" value="submit"> </form>
then when i load the page and press submit the xss or sql injection goes through and since there is no validation on the server side wouldnt this just bypass all security testing and get in. i know the addslashes function exists and that would take care of symbols being entered. but im still wondering :)
__________________
no signature set
|
|
|
|
Join the friendly bunch on IRC...
Linear Mode
