Hi everybody Javascript specialist,
I am relatively new in Javascript world. I have a problem to solve and
I hope one of you can help me.
I am building a validation system, i.e. I want to validate data entered using
A normal HTML FORM. Data will be checked using Javascript scripts to
Have an immediate status, and to prevent user to keep on in case of error.
But some data must be checked against MySql database accessed through
PHP scripts. These PHP validate occur after user has hit <submit> button.
I would like to retrieve MySql data from server and have them available for
Immediate Javascipt validation on the client workstation.
Can anyone tell me if it is possible, and if yes, what is the coding to implement.
Such procedure would avoid having all "validation-against-date" to be defined
Twice, once on the server where they reside, and once duplicated in all
Necessary Javascript.
Thank you very much for your precious help and best regards
RCB845 13 1663 rc****@yahoo.fr said: Such procedure would avoid having all "validation-against-date" to be defined Twice, once on the server where they reside, and once duplicated in all Necessary Javascript.
No it wouldn't, really. Validation on the client side should be for the user's
convenience, only. Your "real" validation must always be done on the server,
where you can control the environment. It's too easy for a user to turn off
Javascript, or for a malicious person to intentionally bypass client side
validation.
Lee wrote: rc****@yahoo.fr said:
Such procedure would avoid having all "validation-against-date" to be defined Twice, once on the server where they reside, and once duplicated in all Necessary Javascript.
No it wouldn't, really. Validation on the client side should be for the user's convenience, only. Your "real" validation must always be done on the server, where you can control the environment. It's too easy for a user to turn off Javascript, or for a malicious person to intentionally bypass client side validation.
You may, however, set a flag using javascript and a hidden field that
would decrease processsing time for the server.
if($flag) {//it's vaidated }
else { perform validation }
Mick.
Mick White said: Lee wrote: rc****@yahoo.fr said:
Such procedure would avoid having all "validation-against-date" to be defined Twice, once on the server where they reside, and once duplicated in all Necessary Javascript.
No it wouldn't, really. Validation on the client side should be for the user's convenience, only. Your "real" validation must always be done on the server, where you can control the environment. It's too easy for a user to turn off Javascript, or for a malicious person to intentionally bypass client side validation.
You may, however, set a flag using javascript and a hidden field that would decrease processsing time for the server.
if($flag) {//it's vaidated } else { perform validation }
That's not much protection from the malicious user, or even the one who becomes
impatient with your validation. I've hacked my way past defective validations
more than once.
Mick White <mw***********@rochester.rr.com> wrote: Lee wrote: Your "real" validation must always be done on the server, where you can control the environment. It's too easy for a user to turn off Javascript, or for a malicious person to intentionally bypass client side validation.
You may, however, set a flag using javascript and a hidden field that would decrease processsing time for the server.
No!
*Everything* coming in from uncontrolled sources (here: user) must be
validated on the server.
I can easily submit anything to the server. Including a faked "is
validated" field and thous circumvent your validation and feed your
scripts bogus data. Security breach par excellence.
Bye,
Martin
Martin Bialasinski wrote: No!
*Everything* coming in from uncontrolled sources (here: user) must be validated on the server.
I can easily submit anything to the server. Including a faked "is validated" field and thous circumvent your validation and feed your scripts bogus data. Security breach par excellence.
Are we talking about the plans for the atomic bomb?
And, I doubt that you can circumvent the validation.
Mick
Mick White wrote: Martin Bialasinski wrote:
No!
*Everything* coming in from uncontrolled sources (here: user) must be validated on the server.
I can easily submit anything to the server. Including a faked "is validated" field and thous circumvent your validation and feed your scripts bogus data. Security breach par excellence.
Are we talking about the plans for the atomic bomb?
And, I doubt that you can circumvent the validation.
javascript :document.forms[0].submit() in the address bar.
Ummm, yes I can.
--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq
Mick White said: Martin Bialasinski wrote:
No!
*Everything* coming in from uncontrolled sources (here: user) must be validated on the server.
I can easily submit anything to the server. Including a faked "is validated" field and thous circumvent your validation and feed your scripts bogus data. Security breach par excellence.
Are we talking about the plans for the atomic bomb?
And, I doubt that you can circumvent the validation.
We may be talking about bad data that could corrupt a production database,
bypassing user authentication, or a user awarding themself free shipping.
It's usually pretty trivial to bypass client-side validation.
Randy Webb wrote: javascript:document.forms[0].submit() in the address bar.
Ummm, yes I can.
<input type="hidden" value="not_verified">
Nice try.
Mick
Lee wrote: We may be talking about bad data that could corrupt a production database, bypassing user authentication, or a user awarding themself free shipping.
It's usually pretty trivial to bypass client-side validation.
So how'd you do it in this case?
Mick
Mick White said: Lee wrote:
We may be talking about bad data that could corrupt a production database, bypassing user authentication, or a user awarding themself free shipping.
It's usually pretty trivial to bypass client-side validation.
So how'd you do it in this case?
In what case? We don't know anything about the form in question.
Mick White <mw***********@rochester.rr.com> wrote: Martin Bialasinski wrote:
No! *Everything* coming in from uncontrolled sources (here: user) must be validated on the server.
Are we talking about the plans for the atomic bomb?
We are talking about something that securityfocus regulary describes
as (depending on the affected application):
These issues may be leveraged to carry out SQL injection attacks,
HTML injection attacks, arbitrary file uploads, privilege
escalation, command execution in the context of the vulnerable
application, and command execution in the context of the affected
system.
or
xNewsletter does not sanitize dangerous characters from form field
input such as the e-mail address of the newsletter recipient. It has
been demonstrated that this condition may be exploited to cause
multiple instances of the same e-mail address to be written to the
datafile. An attacker may effectively trick the script into mail
bombing an arbitrary e-mail address.
It has also been demonstrated that the attacker may cause arbitrary
data to be written to the datafile in such a way that it cannot be
removed using the facilities provided by xNewsletter. The malformed
data must be removed from the datafile manually. http://search.securityfocus.com/swse...sort=swishrank
And, I doubt that you can circumvent the validation.
With a GUI:
Open the URL in the DOM Inspector. Navigate to the hidden
field. Change the value.
Scripted:
Use wget to submit any data you like.
Bye,
Martin
Martin Bialasinski wrote: Mick White <mw***********@rochester.rr.com> wrote:Are we talking about the plans for the atomic bomb?
We are talking about something that securityfocus regulary describes as (depending on the affected application):
These issues may be leveraged to carry out SQL injection attacks, HTML injection attacks, arbitrary file uploads, privilege escalation, command execution in the context of the vulnerable application, and command execution in the context of the affected system.
[...]
It's a minefield out there, and you need to protect your data. I see
your point.
Mick
Mick White wrote: Randy Webb wrote:
javascript:document.forms[0].submit() in the address bar.
Ummm, yes I can.
<input type="hidden" value="not_verified"> Nice try. Mick
javascript :document.forms[0].elements[n].value="verified";document.forms[0].submit()
You can't rely on what's coming back from the browser. Ever. It might
not even BE a browser that's sending a reply. Someone could write a
script to send any old crap to your server. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Charles Banas |
last post by:
weird subject - i hope more than just one curious regular will hear me out.
:)
ok, i've got a bit of a big problem, and i need answers as soon as
possible.
i know this forum is meant for web...
|
by: Retlak |
last post by:
The recommended (on dozens of websites) and effective (works in
Netscape, MSIE, Mozilla, probably others) way to detect if a browser
has Javascript turned off is to put this in the <head>:
...
|
by: phal |
last post by:
Hi all;
I code Perl for CGI, I using regular expression to check the validation
of user input, because the form is small and it run only from my own
computer, anyways if many people using my...
|
by: Allan M. |
last post by:
I have a series of select boxes that must be populated
client side, because they interact with each other. The
design specification calls for these boxes to be updated
without having to make a...
|
by: Kermit Piper |
last post by:
Hello,
I know, using client-side validation to validate form data by looping
through a SQL Server table isn't the best way in terms of security.
But, is there a way to compare the form object...
| |
by: dredge |
last post by:
Hi Everyone,
I have been asked to build a PHP application that calculates important
financial information based on some user-inputted numbers and that will
not allow the user to continue...
|
by: Chris |
last post by:
Hi,
I have a form for uploading documents and inserting the data into a mysql
db. I would like to validate the form. I have tried a couple of Javascript
form validation functions, but it...
|
by: the_grove_man |
last post by:
I purchased a book titled "Pro ASP.NET 2.0" to get up to speed on web
stuff because I ususally do Windows Form Applications.. But in the
first chapters I was reading this week it brought to mind...
|
by: rabbitrun |
last post by:
Hi Everyone,
I work for a financial company. I am planning to give a presentation
to rest of the development team (15 people) here on moving server side
logic to client-side javascript for an...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |