2

Ok, so currently I handle all HTML form submissions in PHP. I submit the form to a PHP file which:

  • Checks against a cookie created at page load to prevent CSRF.
  • Contains a require_once() that handles validation.
  • Runs other logic.

If any of these steps fail, the user is redirected in PHP to the page they came from with an error message.

How I submit the form:

<form method="post" action="filename.php">

This system is fail-safe; as if anything goes wrong, the user is returned to the page they came from even with Javascript disabled.

So my question is; can I create a fail-safe system using just Ajax (an Ajax request to the server on form submission)? So that I don't need this PHP system at all? Is there a recommended procedure/tutorial for this?

I've avoided this so far as the overhead of having both a PHP form handling system as a fail-safe for potential hackers, as well as Ajax, can take several hours per form.

Just to clarify, I don't require support for users that have Javascript disabled. I just want to make sure my system if fail-safe in that situation. I've had a good look around, but it's proving difficult to find clarification on this.

  • 1
    There is no way you can rely on form validating client-side, it is easily circumvented, or is that not what you're asking? – Wrikken Sep 10 '14 at 01:52
  • 1
    I'd be interested in seeing any answers you get on this, wondered for some time too. – Halfpint Sep 10 '14 at 01:54

1 Answers1

5

The short answer for the most part is: no.

It is unwise to consider anything client-side as reliable or fail-safe, this is especially true when it comes to validating user input. A rule of thumb is: never trust the user.

Currently, per the description, your form is being submitted to a PHP script that validates form data. This way is going to be your best line of defense since you have a large amount of control on the data you are working with.

It sounds like you want to cut out the form submission and not force another page load. You can use AJAX to pass form information for validation to your script, but your PHP code is still going to be crucial to the validation process.

Basically you want to make your PHP validation solid. Next, start adding some AJAX calls that pass information from forms to your PHP code, but be prepared to fall back to standard form submission if AJAX is unavailable. If there are no problems with AJAX, you can still submit the data, have PHP do its processing, then return a payload indicating success or failure. Keep in mind though, in this context AJAX is just some sugar for the validation. You are only sweetening the deal by saving yourself having to reload a page and transfer the entire document again.

But remember: it is not reliable, and it is not fail-safe. Server side validation is the light at the end of the tunnel.

Crackertastic
  • 4,958
  • 2
  • 30
  • 37
  • @user3420034 You can check a token that is sent with the request. Some prevention measures are mention on this [OWASP page](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) on the topic. Here is a [SO question](http://stackoverflow.com/questions/9089909/do-i-need-a-csrf-token-for-jquery-ajax) and [another one](http://stackoverflow.com/questions/1953954/detecting-ajax-in-php-and-making-sure-request-was-from-my-own-website) regarding CSRF/AJAX. Here's [brief article](http://erlend.oftedal.no/blog/?blogid=118) that talks about it. Hope that helps. – Crackertastic Sep 10 '14 at 16:21