Web Form Security: Client side tips to help you secure your web forms

Here is a little overview of web forms and security. Understand one aspect of security: if someone wants your information they will go to any means to get that information. Security is a cat and mouse game, but you need to keep your customers in mind. Locking a form down against hackers might render the form difficult to use by your customers. The result would be lost revenue.

The first means for securing a web form is data validation. Should there be HTML characters or numbers in the first name? No. So, you want to perform validation on two sides of the process: client and server. Client side validations consists of JavaScript either within the form or on a separate “.js” page. Server side validation is performed on the server using any number of languages, with PHP and Perl being predominant. Let us examine Client Side Validation in this post.

Client Side: Within the HTML form you have the field: First Name.

First Name: <\input name="FirstName" size="20" type="text" />

The submit function will call the JavaScript validation. The scripting is placed within the form tag:

 onSubmit="return formcheck(this);"

Within the top of the page you want to actually place the JavaScript.

if (validate_required(FirstName,"Please provide your first name.")
	{FirstName.focus();return false;}

The only thing we are checking here is to make sure the first name is filled out. The HTML form will provide the length “size=20” and the JavaScript will ensure there is a value in the field.

Now, we need to examine two aspects that make this validation weak: JavaScript and HTTP Requests. The JavaScript will only work if the client has enabled JavaScript and the form is not submitted by a web_bot. Web_bots are not going to enter values into your form fields, but send them directly to email via HTTP Requests. HTTP Requests will look like this:

http://your domain name/your form name.html/?form_value_name=value.

One method for dealing with this is to insert a field in your web form that only web_bots can see. Here is an example:

 <\input id="email_2" name="email_2" type="text" />

. This web form field will remain hidden from human users, but not to web_bots. A web_bot will see it as an email field and enter an email address. You need to process this field with server side scripting.

Enjoy and I hope this helps.

Comments are closed.