Posted by Good Man on 08/29/06 16:42

"gbbulldog" <gbbulldog@googlemail.com> wrote in
news:1156866297.045790.145340@p79g2000cwp.googlegroups.com:

> WhatsPHP wrote:
>> I have JS checks in the client side which does not allow blank

> Secondly, don't just validate in JS - validate in PHP too, as the JS
> might not run as expected or may be ignored completely if a
> (malicious) user decides to create their own POST to the form handler.


You will never get better advice than this. You *must* get a handle on
security whenever you are using PHP and submitted forms.

*NEVER* trust user input. You must *ALWAYS* validate your info on the
PHP side - make sure that you are actually getting the information you
are expecting. As noted above, if a user has disabled javascript, then
they can submit an empty form. Heck, I don't even need to VISIT a
website to submit information to the form on it - I can post to a FORM
via command-line, or any other number of ways, without hitting the
original form.

So how would you guard against people submitting a 'fake' form from
their own computer, or just turning off javascript? By checking *ALL
USER INPUT*. It is the FIRST RULE involving ANY server-side scripting
language - VALIDATE USER INPUT!

As you can see, this point simply CANNOT be stressed enough. It is the
first hole (and biggest) that must be plugged in everything you write
from this day forth.

:)

[Back to original message]