ansaurus

Question

Keeping code from being exploited, Securing Javascript and Forms

Answer 1

+4 A:

First of all, thanks for the mention there and your most welcome.

My question is, how can I clean the output, keeping anyone from exploiting anything, or adding anything that will mess up the server. Is it needed?

My suggestion is always do a checking on server-side. Yeah you can do checking on client-side, but when it's in the client-side, the client/user has the power to change things. So, if you can (I suggest you must), do both checking - server and client side.

Reigel 2010-10-05 03:52:41

+1 for always check things on the server. HTML 5's fancier client side form validation send shudders up my spine thinking of how people will use it and forget to check on the server.

Matthew Lock 2010-10-05 03:55:15

Not a problem, you really helped me simplify the code, the least I can do is give credit and thanks where it is due :) Im looking to allow only integers or numbers, I want to create a function that will check this upon submission but Im not sure exactly how to go about it. I have a few websites, that have htmlentity type functions, but Im not sure to what extent I need to go to create this. I am afraid of overkill, is there a standard function out there just cleans whatever is submitted that you know of?

James 2010-10-05 03:56:52

Take a look at http://php.net/filter_input_array

Dr.Molle 2010-10-05 04:09:18

@James - I think, you don't really have to - based on your example. Just do the checking on your server-side script. Or is there a really big deal to check it on client-side? Well, the more codes you put on the client-side part, the more the user gets interested on exploiting/messing things - (just an opinion)

Reigel 2010-10-05 04:12:17

I dont think I need it, but if someone knows a easy way to check server side, if the data being passed is indeed ONLY integers or takes out anything that isnt a number, I would surely implement it. Being as I may use this code for other ideas as time passes. More of a just in case thing.

James 2010-10-05 04:22:32

I did find this, but I dont think its for integers, Ive got to read up on it`function unesc($x) { if (get_magic_quotes_gpc()) return stripslashes($x); return $x;}`

James 2010-10-05 04:29:54

uggh!, I cant figure out how to format code in these responses

James 2010-10-05 04:32:49

try visiting this [page](http://stackoverflow.com/questions/ask). click/focus textarea, something will appear on the right side (html guide). Just read it. ;)

Reigel 2010-10-05 04:36:37

Cool, I see I can use basic html <br /> A definate plus <br /> Lets try some <code>Code</code> jeez, I will practice this to see if i can get it. Thanks Reigel

James 2010-10-05 04:44:12

in here (comment area), html formating are limited. Some useful I know is the tickback for the `codes`, underscore for _Italics_. try visiting [meta](http://meta.stackoverflow.com/), it's where to ask when it's all about this site ( [stackoverflow](http://stackoverflow.com) ). and here's a direct link, [how to use formatting in comments](http://meta.stackoverflow.com/questions/24793/how-to-use-formatting-in-comments)

Reigel 2010-10-05 04:52:58

Cool, I think I found a function that will strip anything but numbers from the code. `function clean_no ($cc_no)``{``return ereg_replace ('[^0-9]+', '', $cc_no);``}``$result = clean_no($_POST['result']);`

James 2010-10-05 05:07:00

Answer 2

+1 A:

This can't be done. Javascript can always be compromised and no user input can be trusted.

You could try and obfuscate the code, but it will never be 100% (not even close).

Rogue 2010-10-05 03:52:48

I agree, and point out that obfuscating the JavaScript is more likely to pique the interest of people that otherwise would just wander off. Those *determined* to screw with his site will still have their motives, however difficult it might (theoretically) be made for them.

David Thomas 2010-10-05 03:57:50

I guess what Im wondering is not so much about whether the user has tampered with the form, but more on input that could open up access to my server, first let me say I am an extreme noob. but I have read before how someone can input something like 'hi-x=4' and gain access. I could be totally wrong, but this is what Im worried about.

James 2010-10-05 04:10:21

@James - `but I have read before how someone can input something like 'hi-x=4' and gain access` - you worry too much. ;) If you are good on server-side (not me, I'm a client-side guy), then you don't have to worry. Let say, in `php` you could do something like `if ( $_GET[inputName] == 'hi-x=4') { echo 'Something is not right, I'm exiting'; exit }` - I'm not sure if that's the right `php` code but I guess you'll get the idea.

Reigel 2010-10-05 04:20:22

exactly, something simple like that. Ive got a old distro torrent site that had a lot of different security checks built in for things like posts and file uploads, Ive been skimming through it to see if i can find something that can be modified to check this.

James 2010-10-05 04:25:26

Answer 3

+1 A:

Don't!

That's a poor security scheme -- if for no other reason it's ripe for brute-force. Seriously consider using an established authentication mechanism--there are tons of options in any language you prefer.

STW 2010-10-05 03:53:01

That was going to be my next question, if it was possible to log attempts per ip, and ban ips based on a specified amount of attempts per second or minute. I think I have enough code to paste it into one of my old websites that kepts track of ip hits. but I would much rather have something that was written specifically for this code.

James 2010-10-05 04:06:39

@James -- it's all possible, but too complicated to be a good idea. What language/platform are you using for your server-side?

STW 2010-10-05 04:34:20

James 2010-10-05 04:39:29

STW 2010-10-05 16:26:18

Answer 4

A:

You could generate a hash on the server (such as an MD5 or better SHA-1 or something) based on the form structure, which you then send back to the server on the form submission, and recalculate on the server to see if the user tampered with anything in the form. This is outlined in the old CGI Programming in Perl Book, which incidentally is one of the best books on web programming security I ever read.

I don't recommend it, but for interest it's possible to be pretty sure that a user didn't tamper with your form.

Matthew Lock 2010-10-05 04:00:56

hopefully I will work my way up to that level, thanks for your response :)

James 2010-10-05 06:29:33

ansaurus

tags:

views:

answers:

Keeping code from being exploited, Securing Javascript and Forms

related questions