views:

54

answers:

4

Hi, I am creating a page that allows users access to a certain section of my website if they click 8 out of 25 checkboxes in the right sequence.

First of all thanks to Reigel for the orignal code, he took what I had and rewrote it, its way better than what I initialy started with. Also thanks to Peter Ajtai for helping me optimize the code.

My question is, how can I clean the output, keeping anyone from exploiting anything, or adding anything that will mess up the server. Is it needed?

Here is a live Version: Click Here to see a live working version

My code is as follows:

<body onLoad="clearForms()" onUnload="clearForms()">

 <p>&nbsp;</p>
 <p>&nbsp;</p>
 <p>&nbsp;</p>
 <p>&nbsp;</p>

<form id="form1" name="form1" method="post" action="check_combination.php">
<table width="200" border="1" align="center">

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="1" /></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="2"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="3"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="4"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="5"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="6"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="7"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="8"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="9"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="10"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="11"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="12"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="13"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="14"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="15"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="16"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="17"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="18"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="19"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="20"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="21"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="22"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="23"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="24"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="25"/></td>
</tr>

<tr>
 <td height="23" colspan="5" align="center" valign="middle" class="label"></td>
</tr>

<tr>
 <td height="28" colspan="5" align="center" valign="middle"><input type="button" value="Test length" id="test" /></td>
</tr>

<tr>
 <td height="28" colspan="5" align="center" valign="middle"><input type="submit" name="button" id="button" value="Submit" /></td>
</tr>

<tr>
 <td height="28" colspan="5" align="center" valign="middle"><input type="button" name="button" id="button2" value="Test hidden input value" /></td>
</tr>

</table>

<input name="result" type="hidden" id="result" />

</form>

</body>

And the javascript:

function clearForms() {
    var i;
    for (i = 0; (i < document.forms.length); i++) {
       document.forms[i].reset();
 $(':checkbox[name=checkbox]:disabled').attr('disabled', false);

    }
}


//initial checkCount of zero
var checkCount = 0;

//maximum number of allowed checked boxes
var maxChecks = 8;

$(document).ready(function() {

clearForms();

$("#form1").submit(function(e) {
  if($("input:checkbox:checked").length < 8) {
    alert("You must select at least 8 options before submitting!");
    e.preventDefault();
  }
});

var $nameCheckbox = $('input:checkbox[name=checkbox]');

    $nameCheckbox.click(function() {

        //update checkCount
        checkCount = $('input:checked').length;

        if (checkCount >= maxChecks) {
            //alert('you may only choose up to ' + maxChecks + ' options');
            $nameCheckbox.not(':checked').attr('disabled', true);
        } else {
            $nameCheckbox.filter(':disabled').attr('disabled', false);
        }

        if (this.checked) {
            $("td.label").append('<label>' + this.value + ' </label>');
        } else {
            $("td.label").find(':contains(' + this.value + ')').remove();
        }

        $('input[name="result"]').val($("td.label").text());

    });


    $("#test").click(function() {
        alert($('input:checked').length)
    });

    $('#button2').click(function() {
        alert($('input[name="result"]').val());
    });

});
+4  A: 

First of all, thanks for the mention there and your most welcome.

My question is, how can I clean the output, keeping anyone from exploiting anything, or adding anything that will mess up the server. Is it needed?

My suggestion is always do a checking on server-side. Yeah you can do checking on client-side, but when it's in the client-side, the client/user has the power to change things. So, if you can (I suggest you must), do both checking - server and client side.

Reigel
+1 for always check things on the server. HTML 5's fancier client side form validation send shudders up my spine thinking of how people will use it and forget to check on the server.
Matthew Lock
Not a problem, you really helped me simplify the code, the least I can do is give credit and thanks where it is due :) Im looking to allow only integers or numbers, I want to create a function that will check this upon submission but Im not sure exactly how to go about it. I have a few websites, that have htmlentity type functions, but Im not sure to what extent I need to go to create this. I am afraid of overkill, is there a standard function out there just cleans whatever is submitted that you know of?
James
Take a look at http://php.net/filter_input_array
Dr.Molle
@James - I think, you don't really have to - based on your example. Just do the checking on your server-side script. Or is there a really big deal to check it on client-side? Well, the more codes you put on the client-side part, the more the user gets interested on exploiting/messing things - (just an opinion)
Reigel
I dont think I need it, but if someone knows a easy way to check server side, if the data being passed is indeed ONLY integers or takes out anything that isnt a number, I would surely implement it. Being as I may use this code for other ideas as time passes. More of a just in case thing.
James
I did find this, but I dont think its for integers, Ive got to read up on it`function unesc($x) { if (get_magic_quotes_gpc()) return stripslashes($x); return $x;}`
James
uggh!, I cant figure out how to format code in these responses
James
try visiting this [page](http://stackoverflow.com/questions/ask). click/focus textarea, something will appear on the right side (html guide). Just read it. ;)
Reigel
Cool, I see I can use basic html <br /> A definate plus <br /> Lets try some <code>Code</code> jeez, I will practice this to see if i can get it. Thanks Reigel
James
in here (comment area), html formating are limited. Some useful I know is the tickback for the `codes`, underscore for _Italics_. try visiting [meta](http://meta.stackoverflow.com/), it's where to ask when it's all about this site ( [stackoverflow](http://stackoverflow.com) ). and here's a direct link, [how to use formatting in comments](http://meta.stackoverflow.com/questions/24793/how-to-use-formatting-in-comments)
Reigel
Cool, I think I found a function that will strip anything but numbers from the code. `function clean_no ($cc_no)``{``return ereg_replace ('[^0-9]+', '', $cc_no);``}``$result = clean_no($_POST['result']);`
James
+1  A: 

This can't be done. Javascript can always be compromised and no user input can be trusted.

You could try and obfuscate the code, but it will never be 100% (not even close).

Rogue
I agree, and point out that obfuscating the JavaScript is more likely to pique the interest of people that otherwise would just wander off. Those *determined* to screw with his site will still have their motives, however difficult it might (theoretically) be made for them.
David Thomas
I guess what Im wondering is not so much about whether the user has tampered with the form, but more on input that could open up access to my server, first let me say I am an extreme noob. but I have read before how someone can input something like 'hi-x=4' and gain access. I could be totally wrong, but this is what Im worried about.
James
@James - `but I have read before how someone can input something like 'hi-x=4' and gain access` - you worry too much. ;) If you are good on server-side (not me, I'm a client-side guy), then you don't have to worry. Let say, in `php` you could do something like `if ( $_GET[inputName] == 'hi-x=4') { echo 'Something is not right, I'm exiting'; exit }` - I'm not sure if that's the right `php` code but I guess you'll get the idea.
Reigel
exactly, something simple like that. Ive got a old distro torrent site that had a lot of different security checks built in for things like posts and file uploads, Ive been skimming through it to see if i can find something that can be modified to check this.
James
+1  A: 

Don't!

That's a poor security scheme -- if for no other reason it's ripe for brute-force. Seriously consider using an established authentication mechanism--there are tons of options in any language you prefer.

STW
That was going to be my next question, if it was possible to log attempts per ip, and ban ips based on a specified amount of attempts per second or minute. I think I have enough code to paste it into one of my old websites that kepts track of ip hits. but I would much rather have something that was written specifically for this code.
James
@James -- it's all possible, but too complicated to be a good idea. What language/platform are you using for your server-side?
STW
James
STW
A: 

You could generate a hash on the server (such as an MD5 or better SHA-1 or something) based on the form structure, which you then send back to the server on the form submission, and recalculate on the server to see if the user tampered with anything in the form. This is outlined in the old CGI Programming in Perl Book, which incidentally is one of the best books on web programming security I ever read.

I don't recommend it, but for interest it's possible to be pretty sure that a user didn't tamper with your form.

Matthew Lock
hopefully I will work my way up to that level, thanks for your response :)
James