So I have page with simple form. To submit this form I need person submitting to check checkbox (some privacy policy etc).
I have the form like this:
<form role="form" class="form" id="zamowienie" action="send_order.php" method="post">
<button type="button" id="wyslijZamowienie">SEND</button>
<input type="checkbox" id="regCheckbox" value="">
</form>
(Of course, every distracting inputs are deleted.)
Then I have script that shall submit form only after checking the checkbox.
button.on("click",function(){
if ($("#regCheckbox").is(":checked")) $("#zamowienie").submit();
Unfortunately, I found out that user can change localy the button type from "button" to "submit" and he will be able to submit the form ignoring my submit protect script.
And additional question. I am not an expert but I started wandering what else can do user with FireBug or dev tools. Can he perform any attacks this way?
Many thanks for any answers or guidance.
The user is able to change your form in many other ways, not just changing the type attribute of the button, the best is to check it on the server side too, for example, you should do something like this:
Validate via Jquery:
$("#zamowienie").submit(function(e) {
if(!$('input[type=checkbox]#regCheckbox:checked').length) {
//stop the form from submitting
return false;
}
//Continue and submit the form
return true;
});
Validate in the backend:
If you are using PHP in the backend for example, you have to check if the checkbox is checked, with something like this:
Note: Your checkbox need a name attribute, let's say mycheckbox
if (isset($_POST['mycheckbox'])) {
//Process your form
}
else{
//Checkbox was not checked, print an error message or something
}
Always validate your code in the backend, the Javascript validation is just a plus for usability and User Experience.
That's one of the reasons why you always validate on the server.
There's no problem validating on the FrontEnd, but you need a double check from the server so you guarantee that all the data is as you expected.
As for the Firebug/Chrome Dev Tools question, anyone can pretty much edit everything from your FrontEnd. From CSS to JS. Even if you minify it!
Consider that the user can do everything he wants. He can modify everything in your form or even create another one targeting the same url and create a script to submit it 1000 times.
That's why you often read :
Never Trust User Input
This means you have to check the whole request on server side : check the method used, check that the fields you are expected are set with data types that you expect.
To summarize : Front end is just here to help the "usual" user to communicate with your server, but on server side (back end), you have to expect every input possible.
Related
Here is an html form page
https://www.amazon.in/gp/help/customer/ces/phone-popup.html
which has input fields phone number and time to call.
Is it possible to pass the input data through link, so that it automatically submits the form with the data present in the link.
Can the link be modified to something like:
https://www.amazon.in/gp/help/customer/ces/phone-popup.html?num=9846098460&time=now
Simple and drastic answer: NO.
If YOU were the owner of the target site, you could foresee this kind of use...
Pretty rare uses for common people.
If not:
Are you trying some kind of an automatic query hack ??
Do you really think you will get such an answer on a public forum?
Think about it.
SO reviewers: CLOSE THIS QUESTION!
I wouldn't say so... The way the form data is sent to the remote server is probably through a HTTP POST request triggered from Javascript (when you click the "Call me" button). Therefore, it's not possible for you to automatically submit the form by passing the arguments in the URL.
You need to show code so we better help you but here's a thought.
Yoursite?date=jaz&id=2323;
In your form, you do something like
<input type="text" value="<?php if(isset($_GET['jaz']{echo $_GET['jaz']})) ?>"
Then in you Javascript
You can just submit the form when the page is loaded.
This is just a basic framework but you may want to consider security and check for emptiness when the actual form is submitted
Before submitting a form, i use javascript code (surrounded in PHP) in order to make locally some controls but sometimes javascript may not be enabled client-side.
The fact is that I have to check by pattern/regex each control of the form for example checking email, phone number,.. format so that user cannot enter anything haphazardly. Therefore, if javascript is not enabled, the form must not be submitted, even if all field are fulfilled out.
Therefore my question is to know if there is a tag or function which allow to perform what i want to?
Thank for your help
JavaScript runs client-side.
That means that users have FULL CONTROL over it.
Then, if they want to disable it, you can't do anything about it.
The only thing you should do is be sure that users with JS disabled will be able to submit the form too.
If you use JS to validate the form, be aware that users have FULL CONTROL over it, so they can send the form if they want, even if your code says that it's invalid.
The right way to do it is:
Be sure users without javascript can send the form
Implement client-side validation for users with javascript activation. This way they will have a better user experience (because can know if the data is invalid immediately) and is less server intensive (your server will have to validate less invalid forms).
ALWAYS validate the submited form server-side. Data coming from a client is always UNTRUSTED, even if you think you have validated it.
I have this form in my web page
<form method="POST" action="http://www.example.com/gotothisURL">
........
Two buttons here , one for submit and one for validation
</form>
Now when I click "Submit" , the page is redirected to the URL, but it also does the same thing when I click "Validation". I don't want page to be redirected on click of "validation", but I do want to do some cross site validation on server side.
The validation should work in two steps. Firstly the form must validate on the client side, using JavaScript. Then once the client side script has determined the form is valid it can be sent to the server for further validation.
Unless there is a specific reason for the validation button I would avoid using this. Just allow the form to be validated by JavaScript when the user clicks submits, if it passes the initial validation then it can be sent to the server, otherwise, you can display relevant messages on the screen explaining to the user what they must do in order for the form to be valid.
My question is regarding the user input that is received form a html form and is static one(by 'static' - I mean information from things like select options, radio buttons, check boxes). Should i do a client-side validation as i assume that the user can change my html code with tools like firebug.
Example:
my code:
<select>
<option>public</option>
<option style="display:none">private</option>
</select>
user's modification:
<select>
<option>public</option>
<option selected >private</option>
</select>
Should I validate this input in JS or leave it for the server-side validation?
I know that the user can manipulate JS also so I see no point in doing this kind of validation in JS.
My logic:
As this is a static info an ordinary(the good guy) user won't mess with it and therefor there is no need to check it.
If an evil user want to mess with my code he probably will know how to mix not only the HTML code but also the JS code, so again - no need of client-side validation for static inputs.
So am I right or should always have the full specter of validation on the client-side.
PS:I'm asking only for the client side, I do always/as well a server-side validation of all the users inputs/
Always validate your input server side.
It's nice to validate things in JavaScript because you can tell the user early that the input is incorrect.
A clever user can bypass any JavaScript constraint you place because you can always make your own requests.
From a time-efficiency point of view. It's not worth spending a lot of time trying to help the evil user by always trying to give a useful error message. If the server thinks input is invalid you can reply with "invalid input". If your JavaScript validation is good enough a regular user should never run into that error.
I've made a contact form:
<form action="mailto:myemail#me.com" method="post" enctype="plain/text">
<label for="name">Name:</label> <input type="text" name="name" />
<label for="email">Email:</label> <input type="text" name="email" />
<br clear="all" />
<input type="submit" value="Compose" />
</form>
I want to create a javascript form validator without having to use a server-side language like PHP. Any ideas?
This is a bad idea. JavaScript and JavaScript validation can be bypassed in a number of ways.
The user could tell the browser to not execute any of the JavaScript on the page. If the form itself does not rely on JavaScript, the form will still show up, and the action page will still be there, but all your validation is gone.
The DOM can be edited by the user. Web page developer tools like those in Chrome, Firefox, and IE make it a cinch to change attributes of a form. This includes removing attributes like onsubmit from a form. Or, the user could simply remove JavaScript function from the resources used by the webpage entirely. This allows the user to avoid going through validation.
A user can send POST or GET data directly to the action URL without going through your page. This is great for attackers, since they can inject a malformed form into your server without even going through a browser--they can use a terminal instead, which is much more convenient.
In summary, do not do this. Allowing the user to control validation is a bad thing. Users can turn off client-side JavaScript, but they can't turn off PHP server-side validation. Use PHP validation if you don't want to suffer from embarrassing cross-site scripting attacks and other vulnerabilities.
If you are looking for a PHP form validation library, you can find a number of them around the Internet. For instance, I personally have contributed to one such library that does a good job of evaluating fields in either a POST or GET type form. I apologize for the self promotion, I must insist that you do server-side validation for the sake of security.
That isn't to say that client-side validation is awful and should never be used. But it should always be backed up by server-side validation. You should view client-side validation as a way to inform the user that there is a problem with their form input without reloading, but always use server-side validation to actually look at the input for problems.
Take a look on this live example.
$('#form1').submit(function() {
// Store messages
var msgs = [];
// Validate name, need at least 4 characters...
var name = $('[name=name]', this);
if(name.val().length < 4) {
msgs.push('- Name need at least 04 characters;');
}
// Validate email [...]
// {CODE}
// Validate otherthings [...]
// {CODE}
if(msgs.length !== 0) {
alert("We have some problems:\n\n" + msgs.join("\n"));
return false;
}
});
be careful not to mix things up. you want to do client-side validation, which is nice-to-have, but not as required as server-side validation, which you can only do on the server.
any script-kiddie will still manage to post some crazy data to your server, so you will have to check your requests and sanitize the data on the server-side.
BUT, if you want to do validate your form data before submitting (which is definitely a good standard), you should use one of the many available jQuery plugins to get the biggest bang for the buck.
here is one: http://docs.jquery.com/Plugins/Validation#Example
if you don't like to use jQuery, you can always specify onBlur=myFunction() to execute whatever logic you need when an input field loses its focus.