How to prevent fake form validation

Question

How to prevent fake form validation

So, I have a page with a simple form. To submit this form, I need me to check the box (some privacy rules, etc.).

I have a form like this:

<form role="form" class="form" id="zamowienie" action="send_order.php" method="post"> <button type="button" id="wyslijZamowienie">SEND</button> <input type="checkbox" id="regCheckbox" value=""> </form>

(Of course, all distracting inputs are deleted.) Then I have a script that should send the form only after checking the checkbox.

 button.on("click",function(){ if ($("#regCheckbox").is(":checked")) $("#zamowienie").submit();

Unfortunately, I found out that the user can change the button type locally from "button" to "send", and he will be able to submit a form that ignores my submit script protection.

And an additional question. I am not an expert, but I started wandering about what else can be done with FireBug or dev. Can he execute any attacks in this way?

Thanks so much for any answers or recommendations.

+6

javascript jquery html forms

Zychoo Apr 23 '15 at 20:42

source share

3 answers

This is one of the reasons why you always check on the server. There is no problem checking on FrontEnd, but you need a double check from the server to ensure that all the data is what you expected.

Regarding the Firebug / Chrome Dev Tools question, anyone can pretty much edit everything from your FrontEnd. From CSS to JS. Even if you reduce it!

+1

Felipe skinner Apr 23 '15 at 20:46

source share

Please note that the user can do whatever he wants. It can change everything in your form or even create another targeting for the same URL and create a script to send it 1000 times.

This is why you often read:

Never trust user input

This means that you need to check the entire request on the server side: check the method used, make sure that the expected fields are set with the data types that you expect.

To summarize: The front end is only for the “regular” user to be able to communicate with your server, but on the server side (back) you should expect that every input will be possible.

+1

Harjoe Apr 23 '15 at 20:54

source share

Tom sarduy · Accepted Answer · 2015-04-23T21:00:36+0000

The user can change your form in many other ways, and not just change the button type attribute, it is best to check it on the server side, for example, you should do something like this:

Validate using jQuery:

 $("#zamowienie").submit(function(e) { if(!$('input[type=checkbox]#regCheckbox:checked').length) { //stop the form from submitting return false; } //Continue and submit the form return true; });

Confirm in the backend:

If you use PHP in the backend, for example, you should check if the checkbox is checked, with something like this:
Note. Your checkbox requires a name attribute, say mycheckbox

 if (isset($_POST['mycheckbox'])) { //Process your form } else{ //Checkbox was not checked, print an error message or something }

Always test your code in the backend, Javascript validation is just a plus for usability and user experience.

How to prevent fake form validation

Validate using jQuery:

Confirm in the backend:

More articles: