Validate Radio Buttons? [message #182369] |
Wed, 31 July 2013 18:20 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Hi all,
I was wondering what the general consensus might be on this:
Should one Validate Radio Buttons for an online website contact form?
I've always thought they needed nothing but validation to see if they'd
been used or not before accepting them, and sending the user back to the
website Home Page.
I've used Referrer to check the pages the visitor came from, gotten
his IP or proxy identifier IP and used Control Cache and Pragma plus
$referrer to check that the visitor arrived from the website and nowhere
else, to try to be sure you can't go back to any previous page and find
the data still in tact; sessions are always destroyed when any error
shows up. A counter tells me how many attempts were made from the same
IP or Proxy and after 3 attempts the visitor is banned for a few hours.
Two sets of 3 failed attempts will ge him banned permanently.
BUT, does any of that negate the need to Validate a Radio Button Click?
http://phpmaster.com/form-validation-with-php/ seems to think so, but
the code they suggest isn't exactly simple and it takes a lot of code.
I'm willing to be called wrong; no problem at all.
So, what do YOU think?
TIA & Regards,
Twayne`
|
|
|
Re: Validate Radio Buttons? [message #182370 is a reply to message #182369] |
Wed, 31 July 2013 19:00 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 31/07/13 19:20, Twayne wrote:
> Hi all,
>
> I was wondering what the general consensus might be on this:
>
> Should one Validate Radio Buttons for an online website contact form?
>
> I've always thought they needed nothing but validation to see if
> they'd been used or not before accepting them, and sending the user
> back to the website Home Page.
> I've used Referrer to check the pages the visitor came from, gotten
> his IP or proxy identifier IP and used Control Cache and Pragma plus
> $referrer to check that the visitor arrived from the website and
> nowhere else, to try to be sure you can't go back to any previous
> page and find the data still in tact; sessions are always destroyed
> when any error shows up. A counter tells me how many attempts were
> made from the same IP or Proxy and after 3 attempts the visitor is
> banned for a few hours. Two sets of 3 failed attempts will ge him
> banned permanently.
>
> BUT, does any of that negate the need to Validate a Radio Button Click?
> http://phpmaster.com/form-validation-with-php/ seems to think so, but
> the code they suggest isn't exactly simple and it takes a lot of code.
>
> I'm willing to be called wrong; no problem at all.
>
> So, what do YOU think?
>
I think really only you can answer this one.
Think what would happen in a user somehow faked everything and sent out
of bounds data. Or sql injection type code instead of what was supposed
to be in the post variable.
One simple way to get rid of most malware is to cast explictily or
implicitly, all variables to integers,
So for example if you were setting an SQL field to a numeric value based
on user response, I normally would use sprintf to prepare the query with
%d representing an integer value, into an ID or an enumerated field. Out
of bounds data is simply then an error and no further validation is
rquired, unless you want to send the error back to the user, which n te
case of a radio button is pointlss because you woat GET error data
unless they have actively faked the entry.
Any data that falls into a few well defined entries only, is easy to
validate. The problem comes when you allow arbitrary string entry.
Then SQL injection can happen if a really nasty string is concocted, but
even then php supplies tools to sanitise just about anything you throw
at it, up to and including (as I discovered) turning strings into
hecadecimal numbers and inserting THOSE into the database. Assuming you
are working with a database.
One of the best ways to approach design to put on a black hat and try
and crack it yourself. Think when you code 'what would happen if..there
was no data at all, the data contained special characters you really
wouldn't expect?
Another thought is 'don't bother putting bars on the windows if you
leave the front door open' the easiest way to hack a website is to find
the administrative portal and hack past the password. Too many people
leave the default settings in place when they install code written by
others. Don't.
> TIA & Regards,
>
> Twayne`
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
Re: Validate Radio Buttons? [message #182371 is a reply to message #182369] |
Wed, 31 July 2013 19:07 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 7/31/2013 2:20 PM, Twayne wrote:
> Hi all,
>
> I was wondering what the general consensus might be on this:
>
> Should one Validate Radio Buttons for an online website contact form?
>
> I've always thought they needed nothing but validation to see if they'd
> been used or not before accepting them, and sending the user back to the
> website Home Page.
> I've used Referrer to check the pages the visitor came from, gotten
> his IP or proxy identifier IP and used Control Cache and Pragma plus
> $referrer to check that the visitor arrived from the website and nowhere
> else, to try to be sure you can't go back to any previous page and find
> the data still in tact; sessions are always destroyed when any error
> shows up. A counter tells me how many attempts were made from the same
> IP or Proxy and after 3 attempts the visitor is banned for a few hours.
> Two sets of 3 failed attempts will ge him banned permanently.
>
> BUT, does any of that negate the need to Validate a Radio Button Click?
> http://phpmaster.com/form-validation-with-php/ seems to think so, but
> the code they suggest isn't exactly simple and it takes a lot of code.
>
> I'm willing to be called wrong; no problem at all.
>
> So, what do YOU think?
>
> TIA & Regards,
>
> Twayne`
Good practice means you ALWAYS validate ALL information from the user.
You may have a radio button on your form - but there is no guarantee the
request comes on from your form.
I can easily build a page which has invalid information and submit it to
your site. Or even use tools like cURL to feed your site invalid
information.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182372 is a reply to message #182371] |
Wed, 31 July 2013 21:37 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Wed, 31 Jul 2013 15:07:17 -0400, Jerry Stuckle wrote:
> On 7/31/2013 2:20 PM, Twayne wrote:
>> Should one Validate Radio Buttons for an online website contact form?
> Good practice means you ALWAYS validate ALL information from the user.
> You may have a radio button on your form - but there is no guarantee the
> request comes on from your form.
As a follow up to Jerry, radio buttons and select lists are probably the
easiest elements to validate in the server side code because, by
definition, you expect them to be one of a discrete set of values, and if
they're not a member of that set of values, then someone is playing silly
buggers.
You could use in_array to check that the value received is in an array of
expected values, and then use the value directly; or you could switch on
the value received, with a case for each of the expected values. In both
cases, you can detect and respond as you feel appropriate for unexpected
values.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
Re: Validate Radio Buttons? [message #182375 is a reply to message #182372] |
Thu, 01 August 2013 20:47 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-07-31 5:37 PM, Denis McMahon wrote:
> On Wed, 31 Jul 2013 15:07:17 -0400, Jerry Stuckle wrote:
>
>> On 7/31/2013 2:20 PM, Twayne wrote:
>
>>> Should one Validate Radio Buttons for an online website contact form?
>
>> Good practice means you ALWAYS validate ALL information from the user.
>> You may have a radio button on your form - but there is no guarantee the
>> request comes on from your form.
>
> As a follow up to Jerry, radio buttons and select lists are probably the
> easiest elements to validate in the server side code because, by
> definition, you expect them to be one of a discrete set of values, and if
> they're not a member of that set of values, then someone is playing silly
> buggers.
Well ... that's why I thought it wasn't much necessary other than to see
they were in the range I wanted and weren't empty. They're all
single-character results, 0 thru 9, and 0 thru 3 in one case, and I
thought all I needed to do was validate them to be within the ranges I
specified or throw an error otherwise.
I wondered though, if errant data came in, would it be possible to
hurt me before I did the checks on them?
Today I wrote a couple of functions to check things with; one for
nearly all data and a slightly less stringent one to allow a URL to
appear within a textarea.
the major commonly used function consists of
--------------
function checkIt_1($data)
$data = trim($data);
$data = stripslashes($data);
$data = strip_tags( $data);
$data = htmlspecialchars($data);
return $data;
-------------
With that I'm still able to read any munged text due to the function
although if the visitor saw it it might be pretty confusing to him. It's
not an issue to me though. I even run the functions on my SESSIONs data
when I call it in, just in case it somehow was tainted.
So ... if I applied that function or one similar to it, would you
say I've made a step in the right direction or have I wasted my time?
Is the stripslashes worth the machine cycles or does it just waste
time?
I've also thought about using htmlentities but it seems a little
redundant. Yes?
I'm pretty ignorant yet on just how XSS and the various injection
methods work although I now have a couple of what I think are good sites
to read through. It's taken me a long time to find easy-to-read
tutorials or instructions for absolute beginners like I am in that area,
on those subjects; there's SO much junk around it's sometimes pretty
difficult to tell whether an author knows what he's talking about or not.
>
> You could use in_array to check that the value received is in an array of
> expected values, and then use the value directly; or you could switch on
> the value received, with a case for each of the expected values. In both
> cases, you can detect and respond as you feel appropriate for unexpected
> values.
>
Arrays are probably a good idea but for me if they're not straight-up
1-dimensional arrays I get easily mixed up keeping track of their
contents. Last time I tried I ended up leaving some holes that even I
knew better than to do <grin>.
Thanks for all the food for thought, and allowing me to explain a bit
about what's up.
Anything further anyone has to add here is most welcome. I also respond
promptly to any & all question/clarifications anyone may want.
Best regards,
Twayne`
|
|
|
Re: Validate Radio Buttons? [message #182376 is a reply to message #182370] |
Thu, 01 August 2013 21:11 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-07-31 3:00 PM, The Natural Philosopher wrote:
> On 31/07/13 19:20, Twayne wrote:
>> Hi all,
>>
>> I was wondering what the general consensus might be on this:
>>
>> Should one Validate Radio Buttons for an online website contact form?
>>
....
>>
>> So, what do YOU think?
>>
> I think really only you can answer this one.
> Think what would happen in a user somehow faked everything and sent out
> of bounds data. Or sql injection type code instead of what was supposed
> to be in the post variable.
I'm trying! :)
One thing I have learned is that I'm woefully ignorant of those
processes and thus am fighting something I have little knowledge of. I'm
working on solutions to that issue too.
>
> One simple way to get rid of most malware is to cast explictily or
> implicitly, all variables to integers,
THAT sounds like a good idea! Why didn't I think of that? But it does
bring a possibly stupid question: If I've been hit with XSS or some kind
of injection, might it already have done its damage by the time I get to
be able to process the cast to numeric?
And more specifically, how could a single-digit result from a Radio
Button contain anything harmful as long as I check that it's in bounds?
I realize that's possibly outside the scope of this group, but
thought I'd ask anyway. No problem if you ignore it.
>
> So for example if you were setting an SQL field to a numeric value based
> on user response, I normally would use sprintf to prepare the query with
> %d representing an integer value, into an ID or an enumerated field. Out
> of bounds data is simply then an error and no further validation is
> rquired, unless you want to send the error back to the user, which n te
> case of a radio button is pointlss because you woat GET error data
> unless they have actively faked the entry.
Makes sense.
>
> Any data that falls into a few well defined entries only, is easy to
> validate. The problem comes when you allow arbitrary string entry.
> Then SQL injection can happen if a really nasty string is concocted, but
> even then php supplies tools to sanitise just about anything you throw
> at it, up to and including (as I discovered) turning strings into
> hecadecimal numbers and inserting THOSE into the database. Assuming you
> are working with a database.
No DB yet, but I do plan to add it after learning it well enough. I'm
primarily interested in radio button validation at the moment.
>
> One of the best ways to approach design to put on a black hat and try
> and crack it yourself. Think when you code 'what would happen if..there
> was no data at all, the data contained special characters you really
> wouldn't expect?
I've tried that, and so have a couple of buddy coders, and to date no
one has managed to get thru. But that's not a very large segment of
people and they're admittedly not the best code breakers around.
>
> Another thought is 'don't bother putting bars on the windows if you
> leave the front door open' the easiest way to hack a website is to find
> the administrative portal and hack past the password. Too many people
> leave the default settings in place when they install code written by
> others. Don't.
Nope, I don't, or I do my best not to, at least. <g> One of the pieces
of code I'm most proud of so far is the generation of the temporary
access code every visitor is given when he starts to fill out the form.
It's been judged better than "average" at PHPBuilder, NAS, Tizag and
here too if I'm not mistaken. It's a good ego boost and probably the
best first line of defense, but nothing can ever be 100% safe as we all
know.
>
>
Regards,
Twayne`
|
|
|
Re: Validate Radio Buttons? [message #182377 is a reply to message #182371] |
Thu, 01 August 2013 21:16 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
> On 7/31/2013 2:20 PM, Twayne wrote:
>> Hi all,
>>
>> I was wondering what the general consensus might be on this:
>>
>> Should one Validate Radio Buttons for an online website contact form?
>>
....
>
> Good practice means you ALWAYS validate ALL information from the user.
> You may have a radio button on your form - but there is no guarantee the
> request comes on from your form.
>
> I can easily build a page which has invalid information and submit it to
> your site. Or even use tools like cURL to feed your site invalid
> information.
>
Care to share the "how" of doing that, or better yet some code? This
particular form isn't "live" yet or I'd put it somewhere and let you at
it if I didn't have orders to the contrary from on-high :)
I've done my best but it's obviously not enough or my questions
wouldn't exist.
Regards,
Twayne`
|
|
|
Re: Validate Radio Buttons? [message #182378 is a reply to message #182375] |
Thu, 01 August 2013 21:25 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 4:47 PM, Twayne wrote:
> On 2013-07-31 5:37 PM, Denis McMahon wrote:
>> On Wed, 31 Jul 2013 15:07:17 -0400, Jerry Stuckle wrote:
>>
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>
>>> Good practice means you ALWAYS validate ALL information from the user.
>>> You may have a radio button on your form - but there is no guarantee the
>>> request comes on from your form.
>>
>> As a follow up to Jerry, radio buttons and select lists are probably the
>> easiest elements to validate in the server side code because, by
>> definition, you expect them to be one of a discrete set of values, and if
>> they're not a member of that set of values, then someone is playing silly
>> buggers.
>
> Well ... that's why I thought it wasn't much necessary other than to see
> they were in the range I wanted and weren't empty. They're all
> single-character results, 0 thru 9, and 0 thru 3 in one case, and I
> thought all I needed to do was validate them to be within the ranges I
> specified or throw an error otherwise.
> I wondered though, if errant data came in, would it be possible to
> hurt me before I did the checks on them?
If you don't use the data before validating it, there isn't much bad
data can do (other than maybe a buffer overrun - which would be an
Apache/PHP problem).
> Today I wrote a couple of functions to check things with; one for
> nearly all data and a slightly less stringent one to allow a URL to
> appear within a textarea.
> the major commonly used function consists of
> --------------
> function checkIt_1($data)
> $data = trim($data);
> $data = stripslashes($data);
> $data = strip_tags( $data);
> $data = htmlspecialchars($data);
> return $data;
> -------------
Why are you calling stripslashes()? You should have magic_quotes_gpc()
off (for years now), which makes this function unnecessary (and
potentially harmful by removing slashes it shouldn't).
I'm not sure why you would want to strip the tags then encode the html
characters, but whatever suits your needs.
> With that I'm still able to read any munged text due to the function
> although if the visitor saw it it might be pretty confusing to him. It's
> not an issue to me though. I even run the functions on my SESSIONs data
> when I call it in, just in case it somehow was tainted.
>
Should not be necessary on your $_SESSION array, since that never leaves
the server. You will get back exactly what you store there.
> So ... if I applied that function or one similar to it, would you
> say I've made a step in the right direction or have I wasted my time?
>
Radio buttons need different validation - just check to see if the value
is one of the valid ones for that particular button.
> Is the stripslashes worth the machine cycles or does it just waste
> time?
> I've also thought about using htmlentities but it seems a little
> redundant. Yes?
>
See previous comments. The question is - what exactly are you trying to
accomplish?
> I'm pretty ignorant yet on just how XSS and the various injection
> methods work although I now have a couple of what I think are good sites
> to read through. It's taken me a long time to find easy-to-read
> tutorials or instructions for absolute beginners like I am in that area,
> on those subjects; there's SO much junk around it's sometimes pretty
> difficult to tell whether an author knows what he's talking about or not.
>
Yes, there are a lot of bad tutorials, recommendations and other
documents available on the 'net - much more than there is good
documentation.
>>
>> You could use in_array to check that the value received is in an array of
>> expected values, and then use the value directly; or you could switch on
>> the value received, with a case for each of the expected values. In both
>> cases, you can detect and respond as you feel appropriate for unexpected
>> values.
>>
>
> Arrays are probably a good idea but for me if they're not straight-up
> 1-dimensional arrays I get easily mixed up keeping track of their
> contents. Last time I tried I ended up leaving some holes that even I
> knew better than to do <grin>.
>
A one-dimensional array is fine for this, and is an easy way to validate
the value in a radio button.
> Thanks for all the food for thought, and allowing me to explain a bit
> about what's up.
>
> Anything further anyone has to add here is most welcome. I also respond
> promptly to any & all question/clarifications anyone may want.
>
> Best regards,
>
> Twayne`
>
>
>
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182380 is a reply to message #182378] |
Thu, 01 August 2013 21:53 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-01 5:25 PM, Jerry Stuckle wrote:
> On 8/1/2013 4:47 PM, Twayne wrote:
>> On 2013-07-31 5:37 PM, Denis McMahon wrote:
>>> On Wed, 31 Jul 2013 15:07:17 -0400, Jerry Stuckle wrote:
>>>
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>
>>>> Good practice means you ALWAYS validate ALL information from the user.
>>>> You may have a radio button on your form - but there is no guarantee
>>>> the
>>>> request comes on from your form.
>>>
>>> As a follow up to Jerry, radio buttons and select lists are probably the
>>> easiest elements to validate in the server side code because, by
>>> definition, you expect them to be one of a discrete set of values,
>>> and if
>>> they're not a member of that set of values, then someone is playing
>>> silly
>>> buggers.
>>
....
>
> If you don't use the data before validating it, there isn't much bad
> data can do (other than maybe a buffer overrun - which would be an
> Apache/PHP problem).
Ah! Agreed; had a short black-out there! understood.
>
>> Today I wrote a couple of functions to check things with; one for
>> nearly all data and a slightly less stringent one to allow a URL to
>> appear within a textarea.
>> the major commonly used function consists of
>> --------------
>> function checkIt_1($data)
>> $data = trim($data);
>> $data = stripslashes($data);
>> $data = strip_tags( $data);
>> $data = htmlspecialchars($data);
>> return $data;
>> -------------
>
> Why are you calling stripslashes()? You should have magic_quotes_gpc()
> off (for years now), which makes this function unnecessary (and
> potentially harmful by removing slashes it shouldn't).
Magic quotes are off; thanks for the tip. I've misunderstood something
there so I'll go recheck what stripslashes does.
>
> I'm not sure why you would want to strip the tags then encode the html
> characters, but whatever suits your needs.
>
>> With that I'm still able to read any munged text due to the function
>> although if the visitor saw it it might be pretty confusing to him. It's
>> not an issue to me though. I even run the functions on my SESSIONs data
>> when I call it in, just in case it somehow was tainted.
>>
>
> Should not be necessary on your $_SESSION array, since that never leaves
> the server. You will get back exactly what you store there.
>
>> So ... if I applied that function or one similar to it, would you
>> say I've made a step in the right direction or have I wasted my time?
>>
>
> Radio buttons need different validation - just check to see if the value
> is one of the valid ones for that particular button.
Ah, finally; I did something right!
>
>> Is the stripslashes worth the machine cycles or does it just waste
>> time?
>> I've also thought about using htmlentities but it seems a little
>> redundant. Yes?
>>
>
> See previous comments. The question is - what exactly are you trying to
> accomplish?
>
.... there's SO much junk around it's sometimes pretty
>> difficult to tell whether an author knows what he's talking about or not.
>>
>
> Yes, there are a lot of bad tutorials, recommendations and other
> documents available on the 'net - much more than there is good
> documentation.
>
>>>
....
>>>
>>
>> Arrays are probably a good idea but for me if they're not straight-up
>> 1-dimensional arrays I get easily mixed up keeping track of their
>> contents. Last time I tried I ended up leaving some holes that even I
>> knew better than to do <grin>.
>>
>
> A one-dimensional array is fine for this, and is an easy way to validate
> the value in a radio button.
>
Regards,
Twayne`
|
|
|
Re: Validate Radio Buttons? [message #182381 is a reply to message #182377] |
Thu, 01 August 2013 23:40 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 01/08/13 22:16, Twayne wrote:
> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>> On 7/31/2013 2:20 PM, Twayne wrote:
>>> Hi all,
>>>
>>> I was wondering what the general consensus might be on this:
>>>
>>> Should one Validate Radio Buttons for an online website contact form?
>>>
> ...
>
>>
>> Good practice means you ALWAYS validate ALL information from the user.
>> You may have a radio button on your form - but there is no guarantee the
>> request comes on from your form.
>>
>> I can easily build a page which has invalid information and submit it to
>> your site. Or even use tools like cURL to feed your site invalid
>> information.
>>
>
> Care to share the "how" of doing that, or better yet some code? This
> particular form isn't "live" yet or I'd put it somewhere and let you
> at it if I didn't have orders to the contrary from on-high :)
> I've done my best but it's obviously not enough or my questions
> wouldn't exist.
>
In three years of reading this group I have never seen his highness lord
Stuckle post a single line of PHP.
> Regards,
>
> Twayne`
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
Re: Validate Radio Buttons? [message #182382 is a reply to message #182380] |
Thu, 01 August 2013 23:50 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 5:53 PM, Twayne wrote:
> On 2013-08-01 5:25 PM, Jerry Stuckle wrote:
>> See previous comments. The question is - what exactly are you trying to
>> accomplish?
>>
> ... there's SO much junk around it's sometimes pretty
>
That doesn't answer the question. What exactly are you trying to
accomplish?
A text field can contain a lot of things. How you validate the field
depends entirely on what you expect in the field.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182383 is a reply to message #182377] |
Thu, 01 August 2013 23:53 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 5:16 PM, Twayne wrote:
> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>> On 7/31/2013 2:20 PM, Twayne wrote:
>>> Hi all,
>>>
>>> I was wondering what the general consensus might be on this:
>>>
>>> Should one Validate Radio Buttons for an online website contact form?
>>>
> ...
>
>>
>> Good practice means you ALWAYS validate ALL information from the user.
>> You may have a radio button on your form - but there is no guarantee the
>> request comes on from your form.
>>
>> I can easily build a page which has invalid information and submit it to
>> your site. Or even use tools like cURL to feed your site invalid
>> information.
>>
>
> Care to share the "how" of doing that, or better yet some code? This
> particular form isn't "live" yet or I'd put it somewhere and let you at
> it if I didn't have orders to the contrary from on-high :)
> I've done my best but it's obviously not enough or my questions
> wouldn't exist.
>
> Regards,
>
> Twayne`
No problem at all. I just build a page on my site (or locally if I have
a web server installed) and have the form's action= point at the script
on your site. I can place anything I want on the page and it will be
sent to your script.
There is nothing which requires input to your site to come from a form
on your site. It can come from anywhere - something hackers use to
their advantage.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182384 is a reply to message #182377] |
Thu, 01 August 2013 23:54 |
Scott Johnson
Messages: 196 Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 2:16 PM, Twayne wrote:
> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>> On 7/31/2013 2:20 PM, Twayne wrote:
>>> Hi all,
>>>
>>> I was wondering what the general consensus might be on this:
>>>
>>> Should one Validate Radio Buttons for an online website contact form?
>>>
> ...
>
>>
>> Good practice means you ALWAYS validate ALL information from the user.
>> You may have a radio button on your form - but there is no guarantee the
>> request comes on from your form.
>>
>> I can easily build a page which has invalid information and submit it to
>> your site. Or even use tools like cURL to feed your site invalid
>> information.
>>
>
> Care to share the "how" of doing that, or better yet some code? This
> particular form isn't "live" yet or I'd put it somewhere and let you at
> it if I didn't have orders to the contrary from on-high :)
> I've done my best but it's obviously not enough or my questions
> wouldn't exist.
>
> Regards,
>
> Twayne`
Wasn't the point Jerry was making is that you 'should' validate anything
coming from the public? Does not mean you have to.
Not sure the need to challenge his ability to corrupt your form since I
think it is well known that a form can be spoofed.....or maybe not well
known.
I think the premise is that you can ignore the need to validate your
data but you cannot ignore the consequences of not validating your data.
Just saying. :)
Scotty
|
|
|
Re: Validate Radio Buttons? [message #182385 is a reply to message #182381] |
Fri, 02 August 2013 00:09 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 7:40 PM, The Natural Philosopher wrote:
> On 01/08/13 22:16, Twayne wrote:
>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> Hi all,
>>>>
>>>> I was wondering what the general consensus might be on this:
>>>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>>>
>> ...
>>
>>>
>>> Good practice means you ALWAYS validate ALL information from the user.
>>> You may have a radio button on your form - but there is no guarantee the
>>> request comes on from your form.
>>>
>>> I can easily build a page which has invalid information and submit it to
>>> your site. Or even use tools like cURL to feed your site invalid
>>> information.
>>>
>>
>> Care to share the "how" of doing that, or better yet some code? This
>> particular form isn't "live" yet or I'd put it somewhere and let you
>> at it if I didn't have orders to the contrary from on-high :)
>> I've done my best but it's obviously not enough or my questions
>> wouldn't exist.
>>
>
> In three years of reading this group I have never seen his highness lord
> Stuckle post a single line of PHP.
>
That's because you can't read. The Google archives will easily prove
you wrong.
OTOH, I have yet to see you post anything RIGHT - code or otherwise.
And the Google archives will prove that right.
>> Regards,
>>
>> Twayne`
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182386 is a reply to message #182383] |
Fri, 02 August 2013 01:25 |
Christoph Michael Bec
Messages: 207 Registered: June 2013
Karma: 0
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 8/1/2013 5:16 PM, Twayne wrote:
>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> Hi all,
>>>>
>>>> I was wondering what the general consensus might be on this:
>>>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>>>
>> ...
>>
>>>
>>> Good practice means you ALWAYS validate ALL information from the user.
>>> You may have a radio button on your form - but there is no guarantee the
>>> request comes on from your form.
>>>
>>> I can easily build a page which has invalid information and submit it to
>>> your site. Or even use tools like cURL to feed your site invalid
>>> information.
>>>
>>
>> Care to share the "how" of doing that, or better yet some code? This
>> particular form isn't "live" yet or I'd put it somewhere and let you at
>> it if I didn't have orders to the contrary from on-high :)
>> I've done my best but it's obviously not enough or my questions
>> wouldn't exist.
To better understand potential exploits, you may start with RFC 2616,
the specification of HTTP/1.1[1]. Then you may go along doing some
simple telnet sessions, e.g.
$ telnet example.com 80
Trying 93.184.216.119...
Connected to example.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
[...]
You may augment your understanding of the HTTP protocol by inspecting
the HTTP headers that are actually sent and received by a browser (for
instance, Firefox has Tools->Live HTTP headers). You may reconstruct
some requests done from the browser with telnet, where you may change
some of the header fields, watching the results. A trivial example:
create a file test.php and put it in the web root of your localhost:
<?php
echo $_SERVER['HTTP_HOST'];
Then do:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /test.php HTTP/1.1
Host: surprise
HTTP/1.1 200 OK
Date: Fri, 02 Aug 2013 01:13:23 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
Content-Length: 8
Content-Type: text/html
surprise
Finally you may simplify and automate such requests by using cURL[2] or
the PHP cURL extension[3], for example.
> No problem at all. I just build a page on my site (or locally if I have
> a web server installed) and have the form's action= point at the script
> on your site. I can place anything I want on the page and it will be
> sent to your script.
>
> There is nothing which requires input to your site to come from a form
> on your site. It can come from anywhere - something hackers use to
> their advantage.
As Twayne is checking the referrer, you'd have to spoof that too. Of
course that is no big deal either, but it should be noted.
[1] <http://tools.ietf.org/html/rfc2616>
[2] <http://curl.haxx.se/>
[3] <http://php.net/manual/en/book.curl.php>
--
Christoph M. Becker
|
|
|
Re: Validate Radio Buttons? [message #182387 is a reply to message #182386] |
Fri, 02 August 2013 02:10 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
>>>
>>>>
>>>> Good practice means you ALWAYS validate ALL information from the user.
>>>> You may have a radio button on your form - but there is no guarantee the
>>>> request comes on from your form.
>>>>
>>>> I can easily build a page which has invalid information and submit it to
>>>> your site. Or even use tools like cURL to feed your site invalid
>>>> information.
>>>>
>>>
>>> Care to share the "how" of doing that, or better yet some code? This
>>> particular form isn't "live" yet or I'd put it somewhere and let you at
>>> it if I didn't have orders to the contrary from on-high :)
>>> I've done my best but it's obviously not enough or my questions
>>> wouldn't exist.
>
> To better understand potential exploits, you may start with RFC 2616,
> the specification of HTTP/1.1[1]. Then you may go along doing some
> simple telnet sessions, e.g.
>
> $ telnet example.com 80
> Trying 93.184.216.119...
> Connected to example.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
>
> HTTP/1.1 200 OK
> [...]
>
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers). You may reconstruct
> some requests done from the browser with telnet, where you may change
> some of the header fields, watching the results. A trivial example:
> create a file test.php and put it in the web root of your localhost:
>
I am *quite* familiar with the HTTP protocol, having worked with it for
close to 20 years. But there is no need to get into that level,
especially with a relative newbie like Twayne. It only confuses the issue.
A simple page with an HTML form what directs to the page is sufficient
to show how the page can be exploited.
> <?php
>
> echo $_SERVER['HTTP_HOST'];
>
> Then do:
>
> $ telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /test.php HTTP/1.1
> Host: surprise
>
> HTTP/1.1 200 OK
> Date: Fri, 02 Aug 2013 01:13:23 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> X-Powered-By: PHP/5.4.7
> Content-Length: 8
> Content-Type: text/html
>
> surprise
>
> Finally you may simplify and automate such requests by using cURL[2] or
> the PHP cURL extension[3], for example.
>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>
> As Twayne is checking the referrer, you'd have to spoof that too. Of
> course that is no big deal either, but it should be noted.
>
> [1] <http://tools.ietf.org/html/rfc2616>
> [2] <http://curl.haxx.se/>
> [3] <http://php.net/manual/en/book.curl.php>
>
Yes, it is quite simple to check the referrer. However, that's a poor
thing to check, because it isn't a required field and may not be set.
Additionally, some firewalls/security products will strip the
HTTP_REFERER before sending the data (Norton has been famous for this in
the past - I don't know if they still do it).
The result is checking HTTP_REFERER will keep out more valid users than
it will block hackers.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? - LiveHTTP headers [message #182389 is a reply to message #182386] |
Fri, 02 August 2013 12:05 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers).
I am running Firefox 22.0.
alt->tools does not have live HPPT headers in the pull down.
activating the menu bar: tools goes to the same place.
where do you find live http headers ?
thanks in advance
bill
|
|
|
Re: Validate Radio Buttons? - LiveHTTP headers [message #182390 is a reply to message #182389] |
Fri, 02 August 2013 12:21 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 02/08/13 13:05, bill wrote:
> On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
>> You may augment your understanding of the HTTP protocol by inspecting
>> the HTTP headers that are actually sent and received by a browser (for
>> instance, Firefox has Tools->Live HTTP headers).
>
> I am running Firefox 22.0.
>
> alt->tools does not have live HPPT headers in the pull down.
>
> activating the menu bar: tools goes to the same place.
>
> where do you find live http headers ?
>
> thanks in advance
>
> bill
the most convenient tool I have found is 'curl'
curl -I [url] will show what the remote server is sending.
For firefox there exists an addon
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
Re: Validate Radio Buttons? - LiveHTTP headers [message #182391 is a reply to message #182389] |
Fri, 02 August 2013 12:44 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/2/2013 8:05 AM, bill wrote:
> On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
>> You may augment your understanding of the HTTP protocol by inspecting
>> the HTTP headers that are actually sent and received by a browser (for
>> instance, Firefox has Tools->Live HTTP headers).
>
> I am running Firefox 22.0.
>
> alt->tools does not have live HPPT headers in the pull down.
>
> activating the menu bar: tools goes to the same place.
>
> where do you find live http headers ?
>
> thanks in advance
>
> bill
It's an extension to FF you have to add on.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182395 is a reply to message #182381] |
Fri, 02 August 2013 23:42 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-01 7:40 PM, The Natural Philosopher wrote:
> On 01/08/13 22:16, Twayne wrote:
>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> Hi all,
>>>>
>>>> I was wondering what the general consensus might be on this:
>>>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>>>
>> ...
>>
>
> In three years of reading this group I have never seen his highness lord
> Stuckle post a single line of PHP.
>
>> Regards,
>>
>> Twayne`
>
>
I have, but not very often. He can be pretty eccentric at times, but;
what's your beef? You are off-topic; please get back on.
|
|
|
Re: Validate Radio Buttons? [message #182396 is a reply to message #182383] |
Fri, 02 August 2013 23:47 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-01 7:53 PM, Jerry Stuckle wrote:
> On 8/1/2013 5:16 PM, Twayne wrote:
>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> Hi all,
>>>>
>>>> I was wondering what the general consensus might be on this:
>>>>
>>>> Should one Validate Radio Buttons for an online website contact form?
....
>
> No problem at all. I just build a page on my site (or locally if I have
> a web server installed) and have the form's action= point at the script
> on your site. I can place anything I want on the page and it will be
> sent to your script.
>
> There is nothing which requires input to your site to come from a form
> on your site. It can come from anywhere - something hackers use to
> their advantage.
>
Nah, you'd have to do a more than that. That much I can test for myself.
|
|
|
Re: Validate Radio Buttons? [message #182397 is a reply to message #182386] |
Fri, 02 August 2013 23:51 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-01 9:25 PM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
....
>
> To better understand potential exploits, you may start with RFC 2616,
> the specification of HTTP/1.1[1]. Then you may go along doing some
> simple telnet sessions, e.g.
>
> $ telnet example.com 80
> Trying 93.184.216.119...
> Connected to example.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
>
> HTTP/1.1 200 OK
> [...]
>
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers). You may reconstruct
> some requests done from the browser with telnet, where you may change
> some of the header fields, watching the results. A trivial example:
> create a file test.php and put it in the web root of your localhost:
>
> <?php
>
> echo $_SERVER['HTTP_HOST'];
>
> Then do:
>
> $ telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /test.php HTTP/1.1
> Host: surprise
>
> HTTP/1.1 200 OK
> Date: Fri, 02 Aug 2013 01:13:23 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> X-Powered-By: PHP/5.4.7
> Content-Length: 8
> Content-Type: text/html
>
> surprise
>
> Finally you may simplify and automate such requests by using cURL[2] or
> the PHP cURL extension[3], for example.
>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>
> As Twayne is checking the referrer, you'd have to spoof that too. Of
> course that is no big deal either, but it should be noted.
>
> [1] <http://tools.ietf.org/html/rfc2616>
> [2] <http://curl.haxx.se/>
> [3] <http://php.net/manual/en/book.curl.php>
>
Hmm, good post Chris! I'll see where that takes me.
Thanks
|
|
|
Re: Validate Radio Buttons? [message #182398 is a reply to message #182396] |
Fri, 02 August 2013 23:54 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/2/2013 7:47 PM, Twayne wrote:
> On 2013-08-01 7:53 PM, Jerry Stuckle wrote:
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>
> ...
>
>>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>>
>
> Nah, you'd have to do a more than that. That much I can test for myself.
>
>
>
>
What more do you want? I described exactly how an HTML page (no PHP at
all) could be built which can cause you a problem.
If you want the HTML to do it, try alt.html. That would be off-topic in
this newsgroup.
And BTW - HTTP_REFERER is another user-supplied field, and cannot be
trusted. It may easily be spoofed or could be absent. It is not to be
trusted.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182399 is a reply to message #182395] |
Fri, 02 August 2013 23:56 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/2/2013 7:42 PM, Twayne wrote:
> On 2013-08-01 7:40 PM, The Natural Philosopher wrote:
>> On 01/08/13 22:16, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
>>>
>>
>> In three years of reading this group I have never seen his highness lord
>> Stuckle post a single line of PHP.
>>
>>> Regards,
>>>
>>> Twayne`
>>
>>
>
> I have, but not very often. He can be pretty eccentric at times, but;
> what's your beef? You are off-topic; please get back on.
How much PHP code have you seen here recently? How much *correct& PHP
code has been posted by TNP?
I've posted a lot of code in the past. Unfortunately, due to trolls
like TNP, this newsgroup has pretty much died so there is little reason
to post any code.
Fortunately, there are a few web forums which still have good PHP
discussions.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182400 is a reply to message #182387] |
Sat, 03 August 2013 00:06 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-01 10:10 PM, Jerry Stuckle wrote:
> On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
>> Jerry Stuckle wrote:
....
>
> Yes, it is quite simple to check the referrer. However, that's a poor
> thing to check, because it isn't a required field and may not be set.
> Additionally, some firewalls/security products will strip the
> HTTP_REFERER before sending the data (Norton has been famous for this in
> the past - I don't know if they still do it).
Yup! No Referrer, no access! Wrong referrer, still no access. Spoof it
properly or forget it. Along with other checks &k balances along the way
of course.
>
> The result is checking HTTP_REFERER will keep out more valid users than
> it will block hackers.
That sounds like a bunch of bologna unless you can cite something
verifiable to support it.
I have never, in over a decade, seen Referrer ever block anyone and
I receive host reports of every single contact attempt on my site,
successful or not. Daily.
The only reason I don't have anything more cohesive to support my
claim is that I lost a lot of memory due to a serious brain concussion a
few years back, necessitating re-learing a LOT of things, but I still
have all my records in archive.
Every contact is and was evaluated to see if I care why a contact
attempt failed. Being so near a college town, there are a lot of
abandoned and unsuccessful access attempts. So far none have succeeded
although it's been a long trip getting my knowledge back!
So if you can, please cite something to support your claim that it keeps
out more valid users than bots & hackers & crackers.
>
|
|
|
Re: Validate Radio Buttons? [message #182401 is a reply to message #182384] |
Sat, 03 August 2013 00:10 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-01 7:54 PM, Scott Johnson wrote:
> On 8/1/2013 2:16 PM, Twayne wrote:
>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> Hi all,
>>>>
>>>> I was wondering what the general consensus might be on this:
>>>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>>>
>> ...
>>
>>>
>>> Good practice means you ALWAYS validate ALL information from the user.
>>> You may have a radio button on your form - but there is no guarantee the
>>> request comes on from your form.
>>>
>>> I can easily build a page which has invalid information and submit it to
>>> your site. Or even use tools like cURL to feed your site invalid
>>> information.
>>>
>>
>> Care to share the "how" of doing that, or better yet some code? This
>> particular form isn't "live" yet or I'd put it somewhere and let you at
>> it if I didn't have orders to the contrary from on-high :)
>> I've done my best but it's obviously not enough or my questions
>> wouldn't exist.
>>
>> Regards,
>>
>> Twayne`
>
> Wasn't the point Jerry was making is that you 'should' validate anything
> coming from the public? Does not mean you have to.
Agreed, no problem there.
>
> Not sure the need to challenge his ability to corrupt your form since I
> think it is well known that a form can be spoofed.....or maybe not well
> known.
What challenging his ability? That was a valid, meaningful question.
He said "that" and I asked for clarification and further information.
Just read, don't try to see between the lines.
>
> I think the premise is that you can ignore the need to validate your
> data but you cannot ignore the consequences of not validating your data.
>
> Just saying. :)
>
> Scotty
|
|
|
Re: Validate Radio Buttons? [message #182402 is a reply to message #182400] |
Sat, 03 August 2013 00:20 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/2/2013 8:06 PM, Twayne wrote:
> On 2013-08-01 10:10 PM, Jerry Stuckle wrote:
>> On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
>>> Jerry Stuckle wrote:
> ...
>>
>> Yes, it is quite simple to check the referrer. However, that's a poor
>> thing to check, because it isn't a required field and may not be set.
>> Additionally, some firewalls/security products will strip the
>> HTTP_REFERER before sending the data (Norton has been famous for this in
>> the past - I don't know if they still do it).
>
> Yup! No Referrer, no access! Wrong referrer, still no access. Spoof it
> properly or forget it. Along with other checks &k balances along the way
> of course.
>
Then you will lock out a number of valid users. HTTP_REFERER is not a
required field, and some firewalls will strip it from the header (Norton
used to do this).
Plus it is so easy to spoof it isn't even funny. I don't even need to
use cURL to do it - I can do it with simple HTML.
>>
>> The result is checking HTTP_REFERER will keep out more valid users than
>> it will block hackers.
>
> That sounds like a bunch of bologna unless you can cite something
> verifiable to support it.
Please see above.
> I have never, in over a decade, seen Referrer ever block anyone and
> I receive host reports of every single contact attempt on my site,
> successful or not. Daily.
Not that you know of, anyway. But how do you know it was never blocked?
I've had some sites where the customer wants the referrer tracked. We
do, sand sometimes it comes up empty (even on a POST operation).
> The only reason I don't have anything more cohesive to support my
> claim is that I lost a lot of memory due to a serious brain concussion a
> few years back, necessitating re-learing a LOT of things, but I still
> have all my records in archive.
Which does not mean it does not occur.
> Every contact is and was evaluated to see if I care why a contact
> attempt failed. Being so near a college town, there are a lot of
> abandoned and unsuccessful access attempts. So far none have succeeded
> although it's been a long trip getting my knowledge back!
>
And you don't know how many spoofed entries there are, either.
> So if you can, please cite something to support your claim that it keeps
> out more valid users than bots & hackers & crackers.
>
>
See above. HTTP_REFERER is NOT to be trusted.
Or google for it and see what else you find.
However, this is also off-topic in a PHP newsgroup.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182403 is a reply to message #182401] |
Sat, 03 August 2013 00:21 |
Scott Johnson
Messages: 196 Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 8/2/2013 5:10 PM, Twayne wrote:
> On 2013-08-01 7:54 PM, Scott Johnson wrote:
>> On 8/1/2013 2:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
>>>
>>>>
>>>> Good practice means you ALWAYS validate ALL information from the user.
>>>> You may have a radio button on your form - but there is no guarantee
>>>> the
>>>> request comes on from your form.
>>>>
>>>> I can easily build a page which has invalid information and submit
>>>> it to
>>>> your site. Or even use tools like cURL to feed your site invalid
>>>> information.
>>>>
>>>
>>> Care to share the "how" of doing that, or better yet some code? This
>>> particular form isn't "live" yet or I'd put it somewhere and let you at
>>> it if I didn't have orders to the contrary from on-high :)
>>> I've done my best but it's obviously not enough or my questions
>>> wouldn't exist.
>>>
>>> Regards,
>>>
>>> Twayne`
>>
>> Wasn't the point Jerry was making is that you 'should' validate anything
>> coming from the public? Does not mean you have to.
>
> Agreed, no problem there.
>>
>> Not sure the need to challenge his ability to corrupt your form since I
>> think it is well known that a form can be spoofed.....or maybe not well
>> known.
>
> What challenging his ability? That was a valid, meaningful question. He
> said "that" and I asked for clarification and further information.
>
> Just read, don't try to see between the lines.
>
Point taken. I guess this NG usually develops into some serious mud
slinging I misread from that you actually wanted to see some code that
would do it to challenging if it could be done.
Sorry
Scotty
|
|
|
Re: Validate Radio Buttons? [message #182433 is a reply to message #182399] |
Sun, 04 August 2013 15:57 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-02 7:56 PM, Jerry Stuckle wrote:
> On 8/2/2013 7:42 PM, Twayne wrote:
>> On 2013-08-01 7:40 PM, The Natural Philosopher wrote:
>>> On 01/08/13 22:16, Twayne wrote:
>>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> > On 7/31/2013 2:20 PM, Twayne wrote:
>>>> >> Hi all,
....
>
> How much PHP code have you seen here recently? How much *correct& PHP
> code has been posted by TNP?
I've seen quite a bit of code posted "here" recently, and a lot of
helpful information.
>
> I've posted a lot of code in the past. Unfortunately, due to trolls
> like TNP, this newsgroup has pretty much died so there is little reason
> to post any code.
What you did in the past is irrelevant when it's too far past. It's more
important what you do NOW. As for TNP, what he does is his business; it
doesn't take long to identify someone who's an actual troll from one
who's simply run across you before.
>
> Fortunately, there are a few web forums which still have good PHP
> discussions.
Name three.
Well, perhaps forums is where you should take your exaggerated ego and
get out of here then. You're certainly not much use here if all you want
to do is control people and use your own "Power Grabs" to make others
feel less superior to you. If you don't want to help anyone, then don't
respond to them; it's that simple. You seem to want to be 'part of the
problem', not part of the solution.
I've also noticed your penchant for starting up flames and egging them
on; I don't participate in that more than once or twice, in case you can
redeem yourself. After a fair chance, once I decide not to read or
respond to any of your posts, I don't.
>
|
|
|
Re: Validate Radio Buttons? RESOLVED [message #182446 is a reply to message #182369] |
Sun, 04 August 2013 20:17 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-07-31 2:20 PM, Twayne wrote:
> Hi all,
>
> I was wondering what the general consensus might be on this:
>
> Should one Validate Radio Buttons for an online website contact form?
>
> I've always thought they needed nothing but validation to see if they'd
> been used or not before accepting them, and sending the user back to the
> website Home Page.
>
> TIA & Regards,
>
> Twayne`
|
|
|
Re: Validate Radio Buttons? [message #182454 is a reply to message #182433] |
Mon, 05 August 2013 02:06 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/4/2013 11:57 AM, Twayne wrote:
> On 2013-08-02 7:56 PM, Jerry Stuckle wrote:
>> On 8/2/2013 7:42 PM, Twayne wrote:
>>> On 2013-08-01 7:40 PM, The Natural Philosopher wrote:
>>>> On 01/08/13 22:16, Twayne wrote:
>>>> > On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> >> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> >>> Hi all,
> ...
>
>>
>> How much PHP code have you seen here recently? How much *correct& PHP
>> code has been posted by TNP?
>
> I've seen quite a bit of code posted "here" recently, and a lot of
> helpful information.
>
By TNP? You can't read very well then.
>>
>> I've posted a lot of code in the past. Unfortunately, due to trolls
>> like TNP, this newsgroup has pretty much died so there is little reason
>> to post any code.
>
> What you did in the past is irrelevant when it's too far past. It's more
> important what you do NOW. As for TNP, what he does is his business; it
> doesn't take long to identify someone who's an actual troll from one
> who's simply run across you before.
>
It is entirely relevant. I post *GOOD* code when it's appropriate. It
wasn't necessary here, for instance, so I didn't.
>>
>> Fortunately, there are a few web forums which still have good PHP
>> discussions.
>
> Name three.
Find them yourself. I'm not going to contribute to them being ruined by
you and TNP like this newsgroup has been.
> ro
> Well, perhaps forums is where you should take your exaggerated ego and
> get out of here then. You're certainly not much use here if all you want
> to do is control people and use your own "Power Grabs" to make others
> feel less superior to you. If you don't want to help anyone, then don't
> respond to them; it's that simple. You seem to want to be 'part of the
> problem', not part of the solution.
>
I have an exaggerated ego? ROFLMAO! I'm not trying to "control"
anyone; neither am I trying to make "power grabs". I just don't give a
damn what trolls like you and TNP think about me. You're not worth it.
And I didn't post any code in this thread because none was necessary.
But I did give you hints on how it could be done in HTML - no PHP code
necessary. However, I know you aren't too smart - but this IS a PHP
group - not an HTML group. If you want details on how it can be done in
HTML, then I suggest you try an HTML group.
And no, I won't post hacking code in this or any other public forum.
> I've also noticed your penchant for starting up flames and egging them
> on; I don't participate in that more than once or twice, in case you can
> redeem yourself. After a fair chance, once I decide not to read or
> respond to any of your posts, I don't.
>
>>
>
I start flames? ROFLMAO again!
But don't worry. You won't get any more help from me - EVER. Try to
get your answers from TNP. Anonymous trolls are good at providing
advice. Too bad it isn't good advice - especially in his case.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Validate Radio Buttons? [message #182464 is a reply to message #182454] |
Mon, 05 August 2013 15:17 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-08-04 10:06 PM, Jerry Stuckle wrote:
> On 8/4/2013 11:57 AM, Twayne wrote:
>> On 2013-08-02 7:56 PM, Jerry Stuckle wrote:
>>> How much PHP code have you seen here recently? How much *correct& PHP
>>> code has been posted by TNP?
>>
>> I've seen quite a bit of code posted "here" recently, and a lot of
>> helpful information.
You asked two questions; I answered the first and that's what you
quoted; it's pretty obvious you're upset and cross-answering things; a
portroyal of your ego problem.
>>
>
> By TNP? You can't read very well then.
Did I SAY TNP? What no reading comprehension either, op top of your
total lack of interpersonal skills?
>
....
>>
>> What you did in the past is irrelevant when it's too far past. It's more
>> important what you do NOW. As for TNP, what he does is his business; it
>> doesn't take long to identify someone who's an actual troll from one
>> who's simply run across you before.
>>
>
> It is entirely relevant. I post *GOOD* code when it's appropriate. It
> wasn't necessary here, for instance, so I didn't.
No, you don't. Your ego gets in your way.
>
>>>
>>> Fortunately, there are a few web forums which still have good PHP
>>> discussions.
>>
>> Name three.
>
> Find them yourself. I'm not going to contribute to them being ruined by
> you and TNP like this newsgroup has been.
I have them; You obviously use your trolling simply to try to irritate
people; it doesn't work in most cases. Get help soon.
>
....
> I have an exaggerated ego? ROFLMAO! I'm not trying to "control"
> anyone; neither am I trying to make "power grabs". I just don't give a
> damn what trolls like you and TNP think about me. You're not worth it.
Yeah, as you troll merrily along, huh? If that has you "ROFLMAO" then
your problems are even more obvious. I think you're pissed and and
responding that way too.
>
> And I didn't post any code in this thread because none was necessary.
> But I did give you hints on how it could be done in HTML - no PHP code
> necessary. However, I know you aren't too smart - but this IS a PHP
> group - not an HTML group. If you want details on how it can be done in
> HTML, then I suggest you try an HTML group.
Didn't you already say that? Prone to repeating yourself?
>
> And no, I won't post hacking code in this or any other public forum.
Who asked you to?
Go ahead, show us where you mis-interpreted something again.
>
>> I've also noticed your penchant for starting up flames and egging them
>> on; I don't participate in that more than once or twice, in case you can
>> redeem yourself. After a fair chance, once I decide not to read or
>> respond to any of your posts, I don't.
>>
>>>
>>
>
> I start flames? ROFLMAO again!
Wow, psychotic to boot? I wonder ...
>
> But don't worry. You won't get any more help from me - EVER. Try to
> get your answers from TNP. Anonymous trolls are good at providing
> advice. Too bad it isn't good advice - especially in his case.
You're great at labeling people; perhaps you need more time to think
about yourself ...
>
|
|
|
Re: Validate Radio Buttons? [message #182465 is a reply to message #182464] |
Mon, 05 August 2013 15:33 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/5/2013 11:17 AM, Twayne wrote:
> On 2013-08-04 10:06 PM, Jerry Stuckle wrote:
>> On 8/4/2013 11:57 AM, Twayne wrote:
>>> On 2013-08-02 7:56 PM, Jerry Stuckle wrote:
>
>
>>>> How much PHP code have you seen here recently? How much *correct& PHP
>>>> code has been posted by TNP?
>>>
>>> I've seen quite a bit of code posted "here" recently, and a lot of
>>> helpful information.
>
> You asked two questions; I answered the first and that's what you
> quoted; it's pretty obvious you're upset and cross-answering things; a
> portroyal of your ego problem.
Yup, and you conveniently ignored the second question, like trolls do.
Then jump on me because YOU didn't answer it.
>>>
>>
>> By TNP? You can't read very well then.
>
> Did I SAY TNP? What no reading comprehension either, op top of your
> total lack of interpersonal skills?
No, I asked a question. Hint: that's what the "?" is about. But I also
know that questions like that are beyond your limited capacity to
understand.
>>
> ...
>>>
>>> What you did in the past is irrelevant when it's too far past. It's more
>>> important what you do NOW. As for TNP, what he does is his business; it
>>> doesn't take long to identify someone who's an actual troll from one
>>> who's simply run across you before.
>>>
>>
>> It is entirely relevant. I post *GOOD* code when it's appropriate. It
>> wasn't necessary here, for instance, so I didn't.
>
> No, you don't. Your ego gets in your way.
I beg your pardon. I DO post code when it is relevant. I hate to
disillusion you, but NOTHING in what you asked required ANY code.
And then you asked for code on how to hack a site - which I will NOT
post in a public forum. Maybe this is your way to try to get some
sucker to tell you how to hack a site. I won't do that - for you, or
anyone else.
>>
>>>>
>>>> Fortunately, there are a few web forums which still have good PHP
>>>> discussions.
>>>
>>> Name three.
>>
>> Find them yourself. I'm not going to contribute to them being ruined by
>> you and TNP like this newsgroup has been.
>
> I have them; You obviously use your trolling simply to try to irritate
> people; it doesn't work in most cases. Get help soon.
Good. Glad you learned to use Google. And no, unlike you, I don't
troll. And I don't try to irritate people. But your misplaced ego
needs that.
Me, I'm quite comfortable with myself and don't need to troll to build
my ego. But blaming others for your problems is another symptom of
psychiatric problems. You really should get some help.
>>
> ...
>> I have an exaggerated ego? ROFLMAO! I'm not trying to "control"
>> anyone; neither am I trying to make "power grabs". I just don't give a
>> damn what trolls like you and TNP think about me. You're not worth it.
>
> Yeah, as you troll merrily along, huh? If that has you "ROFLMAO" then
> your problems are even more obvious. I think you're pissed and and
> responding that way too.
Nope, I mean it as I said it. I'm not pissed. You're not worth it.
But I also know that knowing you won't get me pissed pissed YOU off - so
you have to start with the ad hominem attacks, like all trolls do.
>
>>
>> And I didn't post any code in this thread because none was necessary.
>> But I did give you hints on how it could be done in HTML - no PHP code
>> necessary. However, I know you aren't too smart - but this IS a PHP
>> group - not an HTML group. If you want details on how it can be done in
>> HTML, then I suggest you try an HTML group.
>
> Didn't you already say that? Prone to repeating yourself?
Only when you obviously don't get it the first time.
>>
>> And no, I won't post hacking code in this or any other public forum.
>
> Who asked you to?
> Go ahead, show us where you mis-interpreted something again.
You did - and I quote:
Me:
>> I can easily build a page which has invalid information and submit
>> it to your site. Or even use tools like cURL to feed your site
>> invalid information.
You:
> Care to share the "how" of doing that, or better yet some code? This
> particular form isn't "live" yet or I'd put it somewhere and let you
> at it if I didn't have orders to the contrary from on-high
Or don't you remember what you said a 4 days ago?
>>> I've also noticed your penchant for starting up flames and egging them
>>> on; I don't participate in that more than once or twice, in case you can
>>> redeem yourself. After a fair chance, once I decide not to read or
>>> respond to any of your posts, I don't.
>>>
>>>>
>>>
>>
>> I start flames? ROFLMAO again!
>
> Wow, psychotic to boot? I wonder ...
Nope, laughing uproariously at your problems.
>>
>> But don't worry. You won't get any more help from me - EVER. Try to
>> get your answers from TNP. Anonymous trolls are good at providing
>> advice. Too bad it isn't good advice - especially in his case.
>
> You're great at labeling people; perhaps you need more time to think
> about yourself ...
>>
>
You should take your own advice. After all, you started the ad hominem
attacks. But then trolls always try to put the blame on someone else.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|