Conquering Code Validation
by Marc Plotz
September 08, 2009
|
Is your website hack-proof? Code validation can make this a
reality, let Marc Plotz show you how.
|
Why Validate?
It seems like a pretty pointless question, yet I have seen
many sites with contact forms that do not validate--you can
submit nothing--or anything you like and the form just
submits. That is just a contact form, imagine something like
a shopping cart order form, or any type of form handling database
queries. Form validation is essential if you do not want
people hacking your website, or spamming it with rubbish.
Probably 40% of the work I do involves validation of some
sort or other, not always form validation (a point we will
get to shortly). Validation is probably THE most important
thing your website or application can do, although I am the
first to admit the task always seems like a great bother.
Let us take a brief look at what validation really is.
Validation is for forms, right?
Wrong. It is for forms, but there is more to it than that.
Let us assume you have a website handling different user
levels. In my line it happens quite often that there are
different user types that are permitted to do different
things. For our purposes we can imagine we have just three
user types on a recruitment website:
Guest (level 0)
Job Seeker (level 1)
Employer (level 2)
Now it is quite clear that these users all have different
things that they can do on the website. Guests can see the
home page, login, register and retrieve lost passwords, as
well as use the contact form. Let's assume Job Seekers can
fill in an online resume, upload certificates and their
CV's, and search and apply for jobs, while employers can
advertise jobs, search and view CV's and download relative
documentation.
Our validation process on this website would be to make sure
that the right usertype is accessing the correct data
relative to his usertype. This can be done in a few ways,
but the one I prefer is to set a userlevel value as a
session variable when the user logs in. Thus we can check
the value of the userlevel as the user moves from page to
page and not only grant access to those pages as need be,
but provide navigation that will allow them to only navigate
to pages that are relevant to their userlevel. Along with
this type of thing we might want to check the IP of a user
and redirect them to a specific section of the site
according to their country, or load a language table
relative to the user's native language.
I am here for form validation!
As I mentioned earlier, form validation is probably the
biggest and most important type of logic processing you can
do. Think about it--a form is a doorway you are giving the
world that leads right into your website and most likely
your database too. If you do not make sure you are
protecting that doorway, you will be sorry. Trust me I
know.
So lets look at a very simple contact form, and what would
be the best way to validate it in a normal situation. Our
form code is below:
<form id="contact_form" name="contact_form" method="post"
action="<?php echo $_SERVER['REQUEST_URI']; ?>">
Name: <br /><input type='text' id='name' name='name' />
<br />
Email Address: <br /><input type='text' name='email' />
<br />
Message: <br /><textarea name='message' id='message'></textarea>
<br />
<br />
<input type='button' name='send' id='send' value='SEND' onClick="check_form('contact_form');" />
</form>
<script language="javascript">
<!--
function check_form(frm)
{
var ok=true;
var errors="";
if(document.contact_form.name.value.length==0)
{
errors+="-You must enter a name.\n";
ok=false;
}
else if(document.contact_form.name.value.length < 3)
{
errors+="-Name must be longer than 3 characters\n";
ok=false;
}
if (document.contact_form.email.value.length==0)
{
errors+="-You must enter an email address.\n";
ok=false;
}
else if(document.contact_form.email.value.length < 6)
{
errors+="-Email must be longer than 6 characters\n";
ok=false;
}
if (document.contact_form.message.value.length==0)
{
errors+="-You must enter a message.\n";
ok=false;
}
else if (document.contact_form.message.value.length < 5)
{
errors+="-Your message must be longer than 5 characters.\n";
ok=false;
}
if (ok)
document.forms['contact_form'].submit();
else {
alert(errors);
}
}
-->
</script>
The actual form is shown below.
So as you can see, we have created a form and we have
validated it, right? We used Javascript to apply some simple
validations to the form (you might want to actually make
sure the email address is a real email address using regular
expressions, which is outside the scope of this article) and
you make sure these validation criteria are met before
submitting the form, so all is perfect, right? The Lord is
in the heavens and all is right with the world right?
Wrong Again
Javascript validation is CLIENT SIDE Validation. What this
means is that when the submit button is pressed the BROWSER
is the one doing the validating. But a lot can go wrong
between the browser and the server. So what we need to do is
use a SCRIPTING language like PHP or ASP to actually
revalidate the data on the server side, then filter out the
unwanted stuff, and make sure it is CLEAN DATA that we are
inserting into our database or emailing. How we do this is
to put a piece of code (I will b using PHP as that is my
language of choice) at the top of the page to do the brunt
work. The code will look like this
<?php
$error = array();
if(!empty($_POST))
{
extract($_POST); // simply make values like $_POST['name'] become $name
if(!empty($name)) // name is not set
{
$name = mysql_real_escape_string(trim($name));
// get rid of spaces after and before the name and secure from injection
}
elseif(strlen(trim($name)) < 5) // check string length
{
$error[] = "Name Too Short"; // set error in array
}
else
{
$error[] = "Name must be entered";
}
if(!empty($email))
{
$regex = "^[_+a-z0-9-]+(\.[_+a-z0-9-]+)*"
."@[a-z0-9-]+(\.[a-z0-9-]{1,})*"
."\.([a-z]{2,}){1}$";
// a regular expression to check that the email address is in the right format
if(eregi($regex,$email)) compare format of email address with regular expression
{
$email = mysql_real_escape_string(trim($email));
}
else
{
$error[] = "Email appears to be in an invalid format";
}
}
else
{
$error[] = "Email must be entered";
}
if(!empty($message))
{
$message = mysql_real_escape_string(trim($message));
}
elseif(strlen(trim($message)) < 5)
{
$error[] = "Message Too Short";
}
else
{
$error[] = "Message must be entered";
}
if(empty($error)) // there are no errors, now process
{
// do database save and emailing here
}
}
?>
As we can see, we check for basically the same things here
and more. We check to make sure that the email address is in
the right format. Please realize that the above code is
simplified greatly, you can check for as many things as you
like here, it doesn't matter. What we are left with once
this processing is done is an error array that is either
null or not. If it is not null, meaning there are errors,
simply do a foreach loop to print our the
errors just above the form, otherwise process the form as
usual.
Conclusion
Today we have had a very small look into the different types
of validations and how to validate a basic form. I cannot
stress enough how important validation is, and why you
should use it if you do not want to end up getting your site
hacked and/or deleted, or worse.
Until Next Time - Happy Validating!
|
