0

In my registration form of my website, I have a field for email. It is like

<input type="email" name="email" size="25" maxlength="200" required pattern="^[A-Za-z0-9@.]+" required />

So, in this field, a person can only write the few characters which are not restricted.

But today someone tried to access my website and fulfilled his registration using some code like

((selectsleep(25)))a--1

My question is, how can someone fill and submit these type of characters in that input field? Is there any lacking in my code? And second question is, how can I stop this type of characters to be submitted?

John Wink
  • 95
  • 1
  • 2
  • 11
  • 4
    Mind HTML runs at the client side. There is **not the slightest guarantee** a client will follow these constraints. In order to make a server secure **all checks have to be (re)done at server side**. – Willem Van Onsem Mar 27 '17 at 14:15
  • 6
    There's a difference between server-side and client-side programming. EVERYTHING should **always** be validated on the server-side, as client-side data can be manipulated. If I inspect the source of your HTML, I can remove that pattern requirement and the form will no longer require me to follow it (as I have removed it!). – Qirel Mar 27 '17 at 14:16
  • To validate emails on the server-side, you can look into http://php.net/manual/en/filter.examples.validation.php – Qirel Mar 27 '17 at 14:22
  • _“My question is, how can someone fill and submit these type of characters in that input field? Is there any lacking in my code?”_ – no, but in your general knowledge of how the internet works. _Any_ client can send you _any_ data it likes ... If you’re assuming the person who did this must necessarily have used a “browser” to do so, that is absolutely naive already. – CBroe Mar 27 '17 at 14:54
  • So if I want to check the same thing, where only (A-Za-z0-9@.) characters are allowed, how can this be done with php? – John Wink Mar 27 '17 at 15:02

0 Answers0