Re: [PHP] Form validation: client- or server-side?
From: Peter Vertes (pvertes_at_nyc.rr.com)
Date: 01/09/04
- Next message: Steve Edberg: "Re: [PHP] Display syslog file?"
- Previous message: Mike R: "jpeg Uploader issue"
- In reply to: Chris Shiflett: "Re: [PHP] Form validation: client- or server-side?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: php-general@lists.php.net Date: Fri, 09 Jan 2004 16:24:58 -0500
It makes perfect sense now. Thanks for clearing it up for me Chris :)
-Peter
On Fri, 2004-01-09 at 15:29, Chris Shiflett wrote:
> --- Peter Vertes <pvertes@nyc.rr.com> wrote:
> > Just to play devil's advocate; why would you validate data on the
> > server if you have a JavaScript that checked the user's input before
> > it gets submitted to the server? I mean the whole point of you having
> > that JavaScript is to make sure the the correct data gets entered so
> > why bother checking it once again on the server-side with PHP?
> > Wouldn't that be redundant and a waste of resources?
>
> The redundancy is in performing client-side validation, because you should
> never consider server-side validation as optional.
>
> Aside from the obvious fact that people can (and should be able to) turn
> off any client-side scripting, an attacker can do things far more
> sophisticated, to the point of writing a specialized Web client
> specifically to attack your site.
>
> When you receive a POST request, it will look something similar to this:
>
> POST /path/to/script.php HTTP/1.1
> Host: example.org
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 35
> Connection: close
>
> first_name=chris&last_name=shiflett
>
> That's it. This may have resulted from the user submitting the following
> HTML form:
>
> <form action="http://example.org/path/to/script.php" method="post">
> <input type="text" name="first_name" />
> <input type="text" name="last_name" />
> <input type="submit" />
> </form>
>
> You really can't tell what form was used on the receiving site, right? In
> fact, you can't even be sure that the user used a form at all. As an
> example, people ask on this list about performing a POST with PHP at least
> once a week. PHP doesn't need to use an HTML form for this; it just sends
> a request similar to the above (see
> http://shiflett.org/hacks/php/http_post for an example).
>
> The point is that the client decides what it sends, not you. If you want
> to think about security, you have to get rid of the assumption that your
> users will all use your site exactly as you intend. As I mentioned before,
> client-side checking is basically like saying, "User, can you please send
> me a username only if it is less than 10 characters in length and
> alphanumeric only?" Someone attacking your site is not going to abide by
> your requests.
>
> Hope that helps.
>
> Chris
>
> =====
> Chris Shiflett - http://shiflett.org/
>
> PHP Security Handbook
> Coming mid-2004
> HTTP Developer's Handbook
> http://httphandbook.org/
--
perl -e 'print pack("H*", "70766572746573406E79632E72722E636F6D0A")'
- application/pgp-signature attachment: This is a digitally signed message part
- Next message: Steve Edberg: "Re: [PHP] Display syslog file?"
- Previous message: Mike R: "jpeg Uploader issue"
- In reply to: Chris Shiflett: "Re: [PHP] Form validation: client- or server-side?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
