homepage Welcome to WebmasterWorld Guest from 54.197.19.35
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Checking Form Variables on Site with Globalization Concerns
Interested in Validity and Security, but will I have to give these up?
Jeremy_H




msg:3209777
 9:04 pm on Jan 5, 2007 (gmt 0)

I have a contact form on my website that asks the user for their name, email address and their comments.

Before the form is sent, I use JavaScript to verify the fields to make sure they are valid entries. I also reverified the fields in the PHP page to circumvent hacking attempts.

One of the checks I did was to make sure names only contained A-Za-z characters.

Eventually I would like to make my content accessible to more people, including markets with different languages, such as Chinese, Japanese or Arabic.

I would like to screen data fields people are putting into my website for validity checks and for security reasons, but I'm seeing this as impossible considering internationalization considerations.

What are reasonable safeguards and validity checks I can impose on these variables?

Right now I'm considering letting everything slide (except for a ridged check on email addresses), and to automatically add a backward slash in front of questionable characters like other backward slashes, single and double quotes.

Is this reasonable? Should I be doing less, or more?

Thanks

 

alfaguru




msg:3210049
 1:33 am on Jan 6, 2007 (gmt 0)

I think you need to ask yourself what such checking actually achieves. Spammers these days mostly use automated scripts to generate fake names that will pass your current tests, so you are not doing much to defeat them right now. Loosening up your validation won't make much of a difference.

If you want to stop spammers filling out your forms consider being a little smarter about it. Email addresses can be confirmed (to some extent) by sending emails to them which require an action. You can ask questions in your forms that are easy for humans but harder for bots (eg. "what is 2 plus 4?", or "what colour is a banana, yellow or blue?").

However, most fake form entries are pretty dumb - they are simply trying to push some spam site URLs which they hope will be echoed back on a web page somewhere. Filtering for "http:" in the comment text will catch 99% of them and save you a lot of trouble.

rocknbil




msg:3210252
 8:10 am on Jan 6, 2007 (gmt 0)

Well, don't just limit it to comments or other text fields, they can use it in any field, I've got logs to prove it. Also screening for http is useless for the "message board" URL, where they use (squarebracket)url=example.com(squarebracket.) The domain name will still get through.

You're better off screening for < and >, [ and ] link patterns unless you have a specific reason for allowing HTML.

To answer the original question, instead of only allowing [A-Za-z], look into various character sets and how they are encoded, then screen those ranges. Sorry for being so vague, I've never done it but that's how I'd approach it. :-)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved