2

I have a website that has an input form that submits to a php page and adds a players username to a database and counts the views of that player's name to a top 10 list.

My friend tried out inputting other stuff such as html code and javascript. it get's displayed on my top 10 list.

do you have any suggestions how I can make my form more secure? I have been searching for ages and haven't found anything yet. all help would be highly appreciated :)

<form method="get" action="player.php">
   <div class="form-group">
      <div class="input-group input-group-lg">

         <input name="user" type="text" class="form-control" placeholder="Steve" aria-describedby="sizing-addon2">
         <span class="input-group-btn">
            <input type="submit" class="btn btn-success" value="View Skin">
         </span>
      </div>
</form>
Dyrandz Famador
  • 4,499
  • 5
  • 25
  • 40
Ruxie
  • 69
  • 8
  • Have you tried manipulating the request in php yet. If so, what does that look like? – Elipzer Sep 22 '15 at 01:30
  • 1
    should be sanitizing your data at server. Can do some in javascript but javascript can be easily worked around – charlietfl Sep 22 '15 at 01:31
  • http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Buddhi741 Sep 22 '15 at 01:31
  • @area28, This could be worked around if the user skipped the javascript and just used a request client. (Or just typed in the url bar) – Elipzer Sep 22 '15 at 01:35
  • 1
    you talk about a database; the form is 1/2 your worries. Plus, if you don't "need" to use a GET method; don't. – Funk Forty Niner Sep 22 '15 at 01:35

3 Answers3

0

Freeze your requirement around username e.g. alphanumeric including special chars and Max length etc. Write validation logic using javascript regular expression. Reject everything else that fails.

Aslam Sayyed
  • 61
  • 1
  • 3
0

Do not allow user to input special characters is the best way to block it. Well to be more secure and confident always have a limited set of valid characters for each text box and validate them on client-side as well as on the server side.

One example would be 

function validateUsername(){
    var username = document.getElementById('txt_username').value;
    if( /[^a-zA-Z0-9]/.test( username ) ) {
       alert('Input is not alphanumeric');
       return false;
    }
    return true;     
 }

On server side you can also use regular expression. like following 

if(preg_match('/[^a-z_\-0-9]/i', $username))
{
  echo "not valid string";
}
Mubashar
  • 12,300
  • 11
  • 66
  • 95
0

Client side (HTML/Javascript) validation is only to be nice and responsive to the user, it can always be circumvented by a malicious user. Any validation needed should be done server side even if it repeats validation done on the client side.

Joseph Lord
  • 6,446
  • 1
  • 28
  • 32
  • Could you help me please with validating the form? I'm sorry but I'm not a very experienced user with php and mysql – Ruxie Sep 22 '15 at 01:40