I have a web site that has an HTML form with some Javascript for checking form fields and a PHP script that handles the information on the server side and returns a page to the submitter.
In my HTML/Javascript page, I have date entry combo boxes; mm/dd/yyyy. I also use the Javascript to take care of correcting the date aspects when the user changes values; correct num of days in month etc. The year fields (for arriving and departing dates) only have the current year and next year, as inserted by the body Javascript. Sorry for the long-winded explanation but I felt it necessary to explain the occurance and questions.
What happened that is weird is that I received a form submission (via email from the above mentioned script) that had year values of 1793 in both fields. As the two fields are not alterable to the user, i.e. can't enter own data, how did this occur? I have two theorys, one being that this is some sort of browser-specific anomaly and the Javascript didn't execute properly or the user hacked into the code and added these silly dates. For a test, I disabled Javascript in my browser and tried filling in the form and changing the dates; couldn't do it and wouldn't even submit (as I should have realized, as the submission is handled by an "onClick" event).
Can someone copy and edit your script and change the form's action to a full path in order for it to find my site's php script then submit it and my php code will, in blissful ignorance of the outside submission, process it as if it's a normal on-server submission?
This is a bit irritating!
Thanks.
Scott Ross
10  1454 
I have a web site that has an HTML form with some Javascript for checking form fields and a PHP script that handles the information on the server side and returns a page to the submitter.
In my HTML/Javascript page, I have date entry combo boxes; mm/dd/yyyy. I also use the Javascript to take care of correcting the date aspects when the user changes values; correct num of days in month etc. The year fields (for arriving and departing dates) only have the current year and next year, as inserted by the body Javascript. Sorry for the long-winded explanation but I felt it necessary to explain the occurance and questions.
What happened that is weird is that I received a form submission (via email from the above mentioned script) that had year values of 1793 in both fields. As the two fields are not alterable to the user, i.e. can't enter own data, how did this occur? I have two theorys, one being that this is some sort of browser-specific anomaly and the Javascript didn't execute properly or the user hacked into the code and added these silly dates. For a test, I disabled Javascript in my browser and tried filling in the form and changing the dates; couldn't do it and wouldn't even submit (as I should have realized, as the submission is handled by an "onClick" event).
Can someone copy and edit your script and change the form's action to a full path in order for it to find my site's php script then submit it and my php code will, in blissful ignorance of the outside submission, process it as if it's a normal on-server submission?
This is a bit irritating!
Thanks.
Scott Ross
Scott,
From what you're describing I wouldn't say someone hacked your site. I'm not sure why this would occur, but generally when a person hacks he would trash the site not submit the form. If you post a link we can check it out, also how secure is your PHP?
Scott,
From what you're describing I wouldn't say someone hacked your site. I'm not sure why this would occur, but generally when a person hacks he would trash the site not submit the form. If you post a link we can check it out, also how secure is your PHP?
Hello and thanks for your reply. The site is www.pioneergetaway.com and the page in question is on a link at the bottom to www.pioneergetaway.com/rentalrequestformjs.html
I'm not sure how secure the php is; the ISP is easycgi.com.
Scott
I have a web site that has an HTML form with some Javascript for checking form fields and a PHP script that handles the information on the server side and returns a page to the submitter.
In my HTML/Javascript page, I have date entry combo boxes; mm/dd/yyyy. I also use the Javascript to take care of correcting the date aspects when the user changes values; correct num of days in month etc. The year fields (for arriving and departing dates) only have the current year and next year, as inserted by the body Javascript. Sorry for the long-winded explanation but I felt it necessary to explain the occurance and questions.
What happened that is weird is that I received a form submission (via email from the above mentioned script) that had year values of 1793 in both fields. As the two fields are not alterable to the user, i.e. can't enter own data, how did this occur? I have two theorys, one being that this is some sort of browser-specific anomaly and the Javascript didn't execute properly or the user hacked into the code and added these silly dates. For a test, I disabled Javascript in my browser and tried filling in the form and changing the dates; couldn't do it and wouldn't even submit (as I should have realized, as the submission is handled by an "onClick" event).
Can someone copy and edit your script and change the form's action to a full path in order for it to find my site's php script then submit it and my php code will, in blissful ignorance of the outside submission, process it as if it's a normal on-server submission?
This is a bit irritating!
Thanks.
Scott Ross
What's 107 and 108? Isn't that supposed to be 2007 and 2008?
Are you sure you're checking on the server-side in your PHP script? Never depend on javascript for validation. Yes, it helps, but it's easily sidetracked by disabling javascript.
Uh...er...well, no (he said sheepishly). If Javascript was disabled the form wouldn't submit as it's handled by a regular button (Not a submit type) with an onClick event associated with it.
I used to use a Perl script that I wrote for all form validation but thought I'd try Javascript. I think you're right about double checking with the PHP script.
What i still don't understand is how the 1797 date was "inserted". If the script was altered on the person's pc, can they still submit it to my server side PHP script and it would run as if it was submitted from my site?
Thanks for your time!
Scott
Yes, that is very easy to do. See this link. You must have server-side validation. It seems someone has done exactly what you're suspecting, though I can't be certain.
Very informative article, thanks. As it is with most things in life, it seems obvious after the fact. Appreciate the help.
Scott
No problem. You're welcome.
although i did try messing with your form a little
[color=#ff0000]It's Not Nice To Fool With People's Web Pages![/color]
i got this :) very nice.
I added something to the PHP to "foil" year changes. Glad you liked it!
Thanks for taking the time to hack around.
Scott
Yes, that is very easy to do. See this link. You must have server-side validation. It seems someone has done exactly what you're suspecting, though I can't be certain.
For awhile, I only did client side validation. A few months ago ACoder posted that link with his idea that using only client side isn't the way to go. I've gone back and added server side form validation. Great article.
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Gowhera Hussain |
last post by:
Use This for Learning Only ....
Do Not Try To Act Smart
HACKING WITH JAVASCRIPT
Dr_aMado Sun, 11 Apr 2004 16:40:13 UTC
This tutorial is an overview of how javascript can be used to bypass...
|
by: ChangAya |
last post by:
I use binary log on mysql system.
Yesterday i found some hacking attempt on my machine.
( I found some unknown queries on binary log)
But i don't get any information about hacking query...
|
by: Daniel Vallstrom |
last post by:
I am having trouble with floating point addition because of the limited
accuracy of floating types. Consider e.g. x0 += f(n) where x0 and f are
of some floating type. Sometimes x0 is much larger...
|
by: masterjuan |
last post by:
Networks Hacking (hack C:/ drives, severs...)and security holes all on
my website & hacking commands and I explain ways of erasing your tracks
so you dont get caught doing "bad" things... What do...
|
by: enes naci |
last post by:
i would like to know about hacking in python too whether its illegal
or not is not the point and anyway it doesn't mean i'm gong to use it.
|
by: diana.ruwanika |
last post by:
hey how do you hack in to computers ?
|
by: e.expelliarmus |
last post by:
check this out buddies... a kool site for anti hacking and hacking
tips and tricks , computer tweaks to enhance ur pc,small virus
creation ,etc.... it's the best site ... ...
|
by: e.expelliarmus |
last post by:
check this out buddies. kool website for:
* hacking and anti hacking tricks
* anti hackng tricks.
* registry tweaks
* orkut tricks
* small virus
* computer tricks
and loads of different...
|
by: ernestasju |
last post by:
I know that WinAPI has built-in hacking functions.
I even used them in C# with Pinvoke... To hack Minesweeper... It was easy... So...
How i could protect my application from process memory...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
