Form Injection
Added Friday 07/08/2009
Ever created a web form, tested it, concluded it works perfectly and pushed it live, without really thinking about how secure it is? Well until now, I have. Obviously my major concern with web forms has always been SQL Injection, however most programming languages have a function to escape any harmful characters.
But have you ever thought about a JavaScript injection. Well, a colleague pointed it out to me a couple of week's back, so I thought I should share that knowledge so others can avoid the same mistakes.
Consider a basic contact form. On submit, you do some server-side validation (like checking the email address is valid), and if this fails, you redisplay the form with the posted values filled into the input fields.
This is common practise for most forms, as many forms are quite long and users would definitely not appreciate having to retype everything if they'd typed one thing incorrectly.
As an example, I am going to use a form created in PHP:
< input type="text" name="emailAddress" value="< ? php echo $_POST['emailAddress']; ?>" />
This is a standard way of implementing a text input element.
Now consider your user typed in:
" >< script>alert(123) < / script>
Obviously your form validation would fail because it is NOT a valid email address. But have you thought what would now display when your form comes back:
< input type="text" name="emailAddress" value="" >
< script>alert(123) " / >
Although this script isn't harmful (an alert box will appear saying 123 in it), it does demonstrate how just echo-ing the posted value can cause an injection script to run.
The Solution
To solve this problem, simply add the htmlentities method to your echo, which will convert all those nasty characters into safe HTML.
< input type="text" name="emailAddress" value="
< ? php echo htmlentities($_POST['emailAddress'],ENT_QUOTES); ?>" />
This will render the following code on your website:
< input type="text" name="emailAddress" value="
">< script>alert(123)< /script>" />
Hope this provides some more ways of keeping hackers away from your websites.
News
-
March 2010(1)
-
February 2010(1)
-
January 2010(3)
-
December 2009(1)
-
October 2009(3)
-
September 2009(2)
-
August 2009(1)
-
June 2009(2)
-
May 2009(1)
-
April 2009(5)
-
March 2009(1)
-
December 2008(1)
-
November 2008(2)
-
October 2008(6)
-
September 2008(8)
-
August 2008(3)
-
July 2008(9)
-
June 2008(7)
-
May 2008(4)
-
April 2008(4)
-
March 2008(5)
Quick Links
| Email us >> | |
| Call us on 0207 692 6940 |
|
| Find us >> | |
| Download our brochure >> | |
| Download 10 Steps To Achieve Successful SEO >> |
Comments
There are no comments at this time.