Consequences of not using server side validation?

 

What are the consequences of not validating a simple email form on the server.

Keep in mind that:

  • javascript validation is being carried out
  • there is no database in question, this is a simple email form

    • The PHP code I would like to use is this: 

    <?php
    $post_data = filter_input_array( INPUT_POST, FILTER_SANITIZE_SPECIAL_CHARS );

    $full_name = $post_data["full_name"];
    $email_address = $post_data["email_address"];
    $gender = $post_data["gender"];
    $message = $post_data["message"];

    $formcontent = "Full Name: $full_name nEmail Address: $email_address nGender: $gender nMessage: $message n";
    $formcontent = wordwrap($formcontent, 70, "n", true);

    $recipient = "myemail@address.com"; $subject = "Contact Form"; $mailheader = "From: $email_address rn";

    mail($recipient, $subject, $formcontent, $mailheader);

    echo 'Thank You! - <a href="#"> Return Home</a>'; 
?>

    Would a simple captcha solve the issue of security?

    UPDATE:

    A few questions I would really like answered: If I am not worried about invalid data being sent, what is the absolute minimum I can do to improve security. Basically avoid disasters.

    I should probably mention that this code is being generated in a form generator and I would like to avoid my users getting attacked. Spamming might be sorted by adding Captcha.

    UPDATE: What is the worst case scenario?

    UPDATE: Really appreciate all the answers!

    A couple of things I plan to do:

  • add this as Alex mentioned: filter_var("$post_data['email_address']", FILTER_VALIDATE_EMAIL);

  • add simple captcha

    • If I did add simple server side validation, what should I validate for? Cant the user still send invalid data even if I am validating it?

    Also, will the above stop spam?

    In general if you are just playing around and don't care, you don't need validation at all. Having client-side validation is pointless and you will just be wasting your time. The client-side only approach will get you in trouble. You can't trust your users that much.

    If you plan to actually release this or really use it on a live environment, you must have a server side validation. It is well worth the time since this is a simple form now, but it may grow to be much more than that. In addition, if you take care of your validation now, you can reuse it later with other components of your application/site. If you try thinking if terms of reusability you will save your self countless of hours of development.

    There are also obvious issues such as injections and javaScript issues, as mentioned by other users. In addition, a simple CAPTCHA does not cut it anymore. There are some nice resource regarding CAPTCHA.

    Take a look at those.

    Coding Horror

    Decapther

    So the simple answer of your questions is that you are certainly vulnerable in your current situation. I know that more development takes more time, but if you follow good development practices such as reusability and orthogonal/modular design you can save yourself a lot of time and still produce robust applications.

    Good luck!

    UPDATE: You can add FILTER_VALIDATE_EMAIL to take care of the email validation and you can read more about the email injection and how to take care of it here: damonkohler. As for the CAPTCHA, it could solve the problem, but it really depends on how valuable of a target your form/site is. I would recommend using non-linear transforms or something that is widely used and proven. If you are writing your own you may get yourself in trouble.

    Summary:

  • Validate Email
  • Still make sure you are save from injections
  • Make sure the CAPTCHA is strong enough
  • Really Consider server-side validation

    • UPDATE: @kht Did you get your questions answered? Let us know if something was unclear. Good Luck!

    UPDATE: OK, I think we have made you a bit confused here with this whole client-side/server-side fiasco. I will try to break it down now so it makes more sense. The first part explains some basic concepts, and the second answers your questions.

    First, PHP is a server-side language. It runs on the server and when a page request is sent, the server will "run" the PHP script, make any changes to the requested page, and then send it to the user who is requesting the page. The user has no access/control over that PHP script. On the contrary, as discussed earlier, the client-side scripts, such as JavaScript can be manipulated. However, just because you have some PHP script running and checking something on a form, that does not mean that the form is secure. It only means that you are doing some server-side processing of the form. Having it there, and making it secure are two different things as I am sure you have already figured out.

    Now when we say that you need server-side validation we mean that you need a good one. Also, in this hectic Q&A format nobody really mentioned that there is a difference between validating data and sanitizing data.

    sanitizing - making the data meet some criteria

    validating - checking if the data meets a criteria

    Take a look at phpnightly for a better explanation and examples. There are also some nice simple tutorials describing how to create basic validation of a form.

    nettuts

    Very basic, but you should get the idea.

    So how do you approach your current problem?

  • To begin with, you should keep what you have in terms or client-side validation and add the CAPTCHA as you mentioned(check my post or you can research some good ones).

  • What should you validate?

    a. you should validate the data: all fields such as email, name, subject...

  • check if the data matches what you expected: is the filed empty?; is it an email?; does it contain numbers?; etc. You can validate the data on the server side for the same things you are validating it on the user side. The only difference is that the client cannot manipulate that validation.

    • b. you could sanitize the data as well

  • make it lower case and compare it, trim it, or even cast it into a type if you need to. If you have time to check it out, the article from phpnighty has a decent explanation of the two and when not to use both.

  • Can the users still send invalid data?

  • sure they can, but now they have no access to the validation algorithm, they can't just disable it or go around it.(strictly speaking)
  • when the data is invalid or malicious, just inform the user that there has been an error and make them do it again. That is the point of the server-side validation, you can prevent the user from circumventing the rules, and you can alert them that their input is not valid
  • be very careful with the error messages too; don't reveal too much of the rules you are using for validation to your user, just inform them what you are expecting

  • Also, will the above stop spam? If you make sure the form is not vulnerable to email injections, you have client-side validation, CAPTCHA, and server-side validation of some form(it does not have to be super complex) it will stop spam.(keep in my that today's great solution is not so great tomorrow)

  • Why the hell do I need that server-side bull* when my client-side validation works just fine?* Think of it as having a safety net. If a spammer goes around the client-side security, the server-side security will still be there.

    • This validation thing sounds like a lot of work, but it is actually pretty simple. Take a look at the tutorial I included and I am sure the code will make things click. If you make sure no unwanted information is being sent through the form, and the clients cannot manipulate the form to send to more than one email, then you are pretty much safe.

    I just wrote this one out the top of my head, so if it is confusing just put some more questions or shoot me a message. Good Luck!

    No validation occurs when there is no javascript present , might as well not have it...

    Do you think spam bots have javascript enabled?

    Extra note on would be attackers

    If I were attacking your form, I would first see your javascript validation.. Next I would turn javascript off and try again...

    The Consequences of only using client side validation are the same as not using validation at all...

    Would a simple captcha solve the issue of security?

    Not unless it's server side...

    Without validation they could use injection to add in values such as CC: and BCC: to send emails to multiple other people via your form. So I would recommend the least you do is add in: 

    filter_var("$post_data['email_address']", FILTER_VALIDATE_EMAIL);

    If you check the email is valid, the worst they could do is send you invalid data.

    链接地址: http://www.djcxy.com/p/92682.html

    上一篇: 验证电子邮件本地组件

    下一篇: 不使用服务器端验证的后果?