PHP, HTML, CSS, Javascript Form Security

Question

I have a question about security. I have a website programmed with HTML, CSS, PHP, Javascript(jQuery)...

Throughout the website, there are several forms (particularly with radio buttons).

Once a user selects and fills out the form, it takes the value from the selected radio button and sends that to the server for processing. The server also takes the values and plugs them into a database.

My concern is this:

How can I prevent someone from using a developer tool/source editor (such as Google Chrome's Debugging/Developer Tool module) and changing the value of the radio button manually, prior to hitting the submit button? I'm afraid people will be able to manually change the value of a radio button input prior to submitting the form. If they can indeed do that, it will entirely defeat the purpose of the script I am building.

I hope this makes sense.

Thank you!

John

For example, let's say the radio button's value is "Green Bay Packers". If they click that radio button and hit submit, it will give the value of that particular radio button "Green Bay Packers". BUT, what if they go in an manually change the value to, let's say, "Philadelphia Eagles"... and then they hit submit? It will record that selected team as Philadelphia Eagles... I can't have that kind of loophole where someone could just alter the value manually... Those values have to be set stone. Is my entire foundation for this script bad? — John Stamos
– John Stamos, Commented Aug 24, 2011 at 14:59
In your example, the PHP script that receives the form data must know that "Green Bay Packers" is allowed and "Philadelphia Eagles" is not. In this particular case you can define a list of acceptable values and reject the request if the user-data is not in this whitelist. — Cheekysoft
– Cheekysoft, Commented Aug 24, 2011 at 15:08
Cheekysoft, thank you for your insight on the next step forward... This is a very difficult server-side validation because the user is essentially picking a team (Green Bay Packers, Philadelphia Eagles, etc.) and then submitting that team. I can't even wrap my head around where to start. — John Stamos
– John Stamos, Commented Aug 24, 2011 at 15:21

Quentin · Accepted Answer · 2011-08-24 15:21:00Z

8

How can I prevent someone from using a developer tool/source editor (such as Google Chrome's Debugging/Developer Tool module) and changing the value of the radio button manually, prior to hitting the submit button?

You can't. You have no control over what gets sent to the server.

Test that the data meets whatever requirements you set for it before inserting it into the database. If it isn't OK, reject it and explain the problem in the HTTP response.

edited Aug 24, 2011 at 15:21

answered Aug 24, 2011 at 14:57

Quentin

949k136 gold badges1.3k silver badges1.4k bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Cheekysoft · Accepted Answer · 2011-08-24 15:19:12Z

1

Any data sent from the browser to the server can be manipulated outside of your control, including form data, url parameters and cookies. Your PHP code must know what sets of values are valid and reject the request if it doesn't look sensible.

When sending user input to the database you will want to ensure that a malicious user-entered string can't modify the meaning of the SQL query. See SQL Injection. And when you display the user-entered data (either directly in the following response, or later when you read it back out of the database) ensure that you encode it properly to avoid a malicious user-entered string executing as unwanted javascript in the user's browser. See Cross-site scripting and the prevention cheat sheet

edited Aug 24, 2011 at 15:19

answered Aug 24, 2011 at 15:00

Cheekysoft

35.7k20 gold badges75 silver badges86 bronze badges

Comments

emboss · Accepted Answer · 2011-08-24 15:24:31Z

1

I'll go along with Quentin answer on this. Client-side validation should never stand alone, you'll need to have some sort of server-side validation of the input as well. For most users, the client-side validation will save a round trip to the server, but at as you both mention, there is no guarentee that "someone" wouldn't send wrong data.

Therefore the mantra should be: Always have server-side validation

edited Aug 24, 2011 at 15:24

emboss

39.7k7 gold badges103 silver badges109 bronze badges

answered Aug 24, 2011 at 15:02

Verakso

4566 silver badges17 bronze badges

Comments

Cheyenne Welles · Accepted Answer · 2011-10-18 16:50:44Z

1

I would say that client-side validation should be used solely for the user's convenience (e.g., to alert them that they have forgotten to fill in a required field) before they have submitted the form and have to wait for it to go to the server, be validated, and then have it sent back to them for fixing. What a pain. Better to have javascript tell you right there on the spot that you've messed something up.

Server-side validation is for security.

answered Oct 18, 2011 at 16:50

Cheyenne Welles

111 bronze badge

Comments

Community · Accepted Answer · 2020-06-20 09:12:55Z

The others said it already, you can't prevent users from tampering with data being sent to your server (Firebug, TamperData plugins, self-made tampering proxies...).

So on the server side, you must treat your input as if there were no client validation at all.

Never trust user input that enters your application from an external source. Always validate it, sanitize it, escape it.

OWASP even started a stub page for the vulnerability Client-side validation - which is funny - client-side validation seems to have confused so many people and been the cause of so many security holes that they now consider it a vulnerability instead of something good.

We don't need to be that radical - client-side validation is still useful, but regard it simply as an aid to prevent the user from having to do a server roundtrip first before being told that the data is wrong. That's right, client-side validation is merely a convenience for the user, nothing more, let alone an asset to the security of your server.

OWASP is a great resource for web security. Have a look at their section on data validation.

Some advice worth quoting:

Where to include validation

Validation must be performed on every tier. However, validation should be performed as per the function of the server executing the code. For example, the web / presentation tier should validate for web related issues, persistence layers should validate for persistence issues such as SQL / HQL injection, directory lookups should check for LDAP injection, and so on.

Follow this rule without exception.

Phil Lello · Accepted Answer · 2011-10-18 17:07:33Z

0

In this scenario, I'd recommend that you use values as keys, and look those up on the server side.

Also, consider issuing a nonce in a hidden field every time someone loads a form - this will make it a bit more difficult for someone to submit data without going through your form.

If you have a lot of javascript, it's probably worth running it through an obfuscator - this not only makes it harder for hackers to follow your logic, it also makes scripts smaller and faster to load.

As always, there is no magic bullet to stop hacking, but you can try raising the bar enough to deter casual hackers, then worry about the ones who enjoy a challenge.

answered Oct 18, 2011 at 17:07

Phil Lello

8,6592 gold badges27 silver badges36 bronze badges

Collectives™ on Stack Overflow

PHP, HTML, CSS, Javascript Form Security

6 Answers 6

Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related