[UPHPU] Quickform validation woes
Mac Newbold
mac at macnewbold.com
Fri Dec 15 16:54:18 MST 2006
Today at 4:18pm, Jared Stevens said:
> Hello -
> You may be able to try client side authentication.
> (In that case, the quickform lib writes a bunch of javascript that
> checks the form for you.)
> If you're looking for a good quickform reference, the best pages I've
> found are here, (in order of awesomeness):
> http://www.midnighthax.com/quickform.php
> http://www.devarticles.com/c/a/Web-Graphic-Design/Using-HTML-Quickform-for-Form-Processing/
> http://pear.php.net/manual/en/package.html.html-quickform.php
>
> These are for QuickForm 1, and not the newer cooler one.
> I hope this helps.
Remember though that if you do client side form validation, and really
care that the validation happens, you'll need to do server side validation
as well. Otherwise, I (or any spammer, hacker, etc.) could turn off JS, or
post directly, or any number of other things to work around your
validation.
Client-side validation isn't evil, it just isn't ever a complete
validation solution, though it can go a long way toward improving user
experience sometimes.
Another method to consider would be AJAX validation: you get the benefits
of client-side validation (near immediate response without a page reload,
for one) with some of the benefits of server side (same code validates it
server side and client side, don't have to rewrite validation twice,
validation can use a database, etc.). Again, without JavaScript or if they
were trying to circumvent the validation, you won't have any guarantees,
and you'll want to make sure server-side what you're doing too.
One hacking attempt that has become pretty common lately is one where
spammers will find a "contact us" web form that asks for a name and email
address. It may or may not have javascript validation of the fields, it
doesn't much matter. If on the server site you include the name or email
address fields in the headers of the email message (like on the "From",
"To", "Cc", "Bcc", or "Subject" fields) they can use your web server to
send out whatever spam they want. All they have to do is post a request to
your server that embeds \r\n and extra email headers and body into the
message you generate, and they've suddenly changed the subject, Bcc'd a
hundred or more AOL users (and others), and replaced the body with a
multi-part HTML email with embedded, attached, and/or linked images. And
the only trace you have of them is an entry in your web logs with the IP
of the computer or proxy used to access your site and post the message. So
be careful!
Thanks,
Mac
--
Mac Newbold MNE - Mac Newbold Enterprises, LLC
mac at macnewbold.com http://www.macnewbold.com/
More information about the UPHPU
mailing list