Welcome to WebmasterWorld Guest from 54.145.208.64

Forum Moderators: phranque

Message Too Old, No Replies

Checking Form Variables on Site with Globalization Concerns

Interested in Validity and Security, but will I have to give these up?

   
9:04 pm on Jan 5, 2007 (gmt 0)

5+ Year Member



I have a contact form on my website that asks the user for their name, email address and their comments.

Before the form is sent, I use JavaScript to verify the fields to make sure they are valid entries. I also reverified the fields in the PHP page to circumvent hacking attempts.

One of the checks I did was to make sure names only contained A-Za-z characters.

Eventually I would like to make my content accessible to more people, including markets with different languages, such as Chinese, Japanese or Arabic.

I would like to screen data fields people are putting into my website for validity checks and for security reasons, but I'm seeing this as impossible considering internationalization considerations.

What are reasonable safeguards and validity checks I can impose on these variables?

Right now I'm considering letting everything slide (except for a ridged check on email addresses), and to automatically add a backward slash in front of questionable characters like other backward slashes, single and double quotes.

Is this reasonable? Should I be doing less, or more?

Thanks

1:33 am on Jan 6, 2007 (gmt 0)

5+ Year Member



I think you need to ask yourself what such checking actually achieves. Spammers these days mostly use automated scripts to generate fake names that will pass your current tests, so you are not doing much to defeat them right now. Loosening up your validation won't make much of a difference.

If you want to stop spammers filling out your forms consider being a little smarter about it. Email addresses can be confirmed (to some extent) by sending emails to them which require an action. You can ask questions in your forms that are easy for humans but harder for bots (eg. "what is 2 plus 4?", or "what colour is a banana, yellow or blue?").

However, most fake form entries are pretty dumb - they are simply trying to push some spam site URLs which they hope will be echoed back on a web page somewhere. Filtering for "http:" in the comment text will catch 99% of them and save you a lot of trouble.

8:10 am on Jan 6, 2007 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Well, don't just limit it to comments or other text fields, they can use it in any field, I've got logs to prove it. Also screening for http is useless for the "message board" URL, where they use (squarebracket)url=example.com(squarebracket.) The domain name will still get through.

You're better off screening for < and >, [ and ] link patterns unless you have a specific reason for allowing HTML.

To answer the original question, instead of only allowing [A-Za-z], look into various character sets and how they are encoded, then screen those ranges. Sorry for being so vague, I've never done it but that's how I'd approach it. :-)