I have an HTML form in Rails like
<form name="input">
Title: <input type="text" name="title">
<input type="button" value="Submit">
</form>
I want title to be a required field (i.e. the user cannot leave it blank.) How can I verify that the user filled something in? Should I do it on the client side, or on the server side? My feeling is that doing on the client side would save communication to the server in the case that the user didn't fill it in.
You can do both, but should at least do it on the server. Remember that any client can easily circumvent any client-side validation, which leads to your code potentially breaking.
You can do it easily in the model with:
validates_presence_of :title
On the client there are various ways of how to do this. The simplest is perhaps using the required html5 attribute on the input tag. You can also use a javascript library like validatious, for which you can use this Rails plugin to automatically generate the client side validations based on your server-side validations.
If you want to be really on the safe side, you HAVE to do it on the server anyways. The client side validation is only for the sake of convenience.
You should do it on the client because it's more convenient to the user (a better user experience).
And, do it on the server in case client-side validation fails (because JavaScript is turned off, or there's a bug in client-side code, or an unsupported browser, or a malicious cracker trying to send garbage to your server, etc.).
Do validation on client side and server side..
Client side validation is not safe and can disbaled..,
Server side validation have to be performed and can not bypass
Related
I have a simple contact database application written in php (PDO) and MySQL. It is a single file with a switch case statement. Default shows the table of contacts, case: add, edit, delete etc for the functions. All MySQL statements are prepared statements in PDO.
My question is:
Is it better to use a html link with parameters to move about or is it better to use a POST form with the parameters as hidden fields.
e.g. in the table listing the contacts, within each row is it better to have a link:
edit
and get the 'mode' for the switch and the parameters from a $_GET statement
or is it better to have:
<form method="POST" action="">
<input type="hidden" name="mode" value="edit"/>
<input type="hidden" name="contact_id" value="321" />
<input type="submit" name="submit" value="edit" />
</form>
I am interested from a security point of view as well as a functionality point of view. I have looked for similar questions here and found only one with a single answer that said a form is better. It had no explanation and 4 upvotes.
Any information would be greatly appreciated.
Cheers.
It is definitely better to go with the form. Why? Well, the URL navigation would be submitted via GET requests, whereas the <form> submission is handled via POST. GET requests are exposed to the end-user, whereas POST requests are not. As Stated by TeamTreeHouse in the previous link:
Use POST when dealing with sensitive data.
Consider your former approach. A user sees index.php?mode=edit&contact_id=321 appear in their browser. If they were malicious, they would easily be able to make the correlation to index.php?mode=edit&contact_id=1. They could easily type that in their browser. Assuming you don't have any other authentication mechanics set up, they'd be able to go ahead and edit someone else's account.
The latter is slightly better. Although source code is not as obvious as an exposed URL, anyone is still able to view it, and find your hidden 321 contact. You might think that a malicious user cannot edit hidden form fields like they easily could with a query string, though this is not the case. They can download and create their own copy, simply replacing the action parameter with your own, thus submitting tampered data. There's even browser addons for this, making it even easier!
To get around this, you're looking to combine the <form> method with an authentication token. Generate a token that verifies the integrity of the form, ensuring that the form is not manipulated after being generated. It depends on exactly which language you're using on the back-end as to how to generate the token, but there's a great article for JSON web tokens here.
Upon form submission, check the token matches what it was upon generation. If it matches, all is well, so you proceed. If it doesn't, the form has been manipulated, so you deny submission.
For further information, I recommend checking out OWASP's article on Cross-Site Request Forgeries.
Hope this helps! :)
I have a simple web server going on an Atmel embedded processor. It's a Cortex M4 and it's only running FreeRTOS as an OS; this is not a high powered processor.
I can have it [the Atmel processor] serve up a page by typing in Firefox:
192.168.0.200
This renders a page with drop down boxes and a submit button that enables me to pass data back to the server to control the hardware.
I am using the follwing kind of HTML. Please note, it looks slightly odd because it's in a C string:
"<form> \
<select name=\"group\"> \
<option value=\"10\">10</option> \
<option value=\"11\">11</option> \
<option value=\"12\">12</option> \
<option value=\"Broadcast\">255</option> \
</select> \
<input type=\"submit\" value=\"Submit\"> \
</form>"
You can see that, in its address bar, the browser then has something like:
192.168.0.200/?group=4
When the web server on the emebedded processor gets that message in, I can happily parse the line, extract a group number and act on it.
However, I have to send back another page to the browser when I get the
192.168.0.200/?group=4
message into the Atmel processor. Otherwise I get a timeout message. I can happily send the original page back again and it essentially works, but sending the page back resets the values of what the drop down boxes have changed to.
Is there a way of making the browser send a message that the server can parse, but not have to send out the full page again? I guess I'm needing to use something like a POST command, but I don't know how to do that from a web page. I should say that I am experienced in C, but have no HTML knowledge other than what I have learnt in the last few days, so it may be something easy that it completely eluding me from cramming in all this learning this week!
I don't want to/assume I can't use Javascript, because I have such a simple server I need to keep it as simple as possible.
Thanks!
Is there a way of making the browser send a message that the server can parse, but not have to send out the full page again?
Forget about the browser.
Have the server respond with a 204 No Content response instead of a 200 OK response.
If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent's active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent's active view.
I don't want to/assume I can't use Javascript, because I have such a simple server I need to keep it as simple as possible.
JavaScript runs client side. You don't need the server to do anything complicated to serve JS. You can even embed it in the HTML document.
You could use Ajax to solve your problem instead of a No Content response.
In my html I'm using hidden value as :<input type="hidden" value="secure" name="first"> but the problem is when I see in browser console value is displaying .How to hide this?
The browser belongs to the visitor. You can't give the browser anything without giving it to the visitor as well.
If you don't want to visitor to have access to data, then never give it to the browser in the first place.
Keep the data on the server and send the browser a session token instead.
You can't. The whole point of a client/server based setup, like 'the web' is by definition, is that everything you transmit to the client can be read by any client.
If you need to secure data from the end user, keep it on the server side. There are a myriad of possible solutions for this, like sessions, cookies and preshared keys, to sync serverside storage with the client.
Is there any way to send data from one HTML page to another using basic HTML without using JavaScript and PHP?
It's easy to "send" data:
Send
but there is no way for the receiving page to parse it without a server-side application or JavaScript. (Or Flash, or a Java applet, or an ActiveX control....)
html only purpose is to show content. It is not designed for getting and passing data. you need server side script to do that.
Good answers. Pekka and Andre really nailed it.
In order to pass data from HTML form fields to your web application:
1) You can manually build a link with query string variables (basically Pekka's example)
Submit
2) Or, to retrieve data typed in by the user (which is typically what you want), you can use the GET method
<form action="signup.pl" method="get">
Name: <input type="text" name="name" />
<input type="submit" />
</form>
Either way, you end up with a post to the web server with the same URL (provided the user typed "john"):
http://www.mycatwebsite.com/signup.pl?name=john
(or you can use POST instead of GET, but then query string variables don't show up in the URL)
But in order to read and process it, as already mentioned, you need a server side programming language.
Even the first dynamic websites back in the 90's used CGI Perl scripts, or even ANSI C, to process data. Here's a simple Perl example:
HTML Forms POST, GET
Now of course there are many web application languages (and frameworks) to choose from, such as PHP, Java, ASP.NET, Ruby, Python, etc. But they all adhere to the CGI convention of passing data back and forth (CGI Request/HTML response) between the web server (Apache, IIS) and the web site.
Common Gateway Interface
Dynamic website
You can prompt the user to enter data with a <form>, and you can add GET-query-parameters to your URL (index.php?foo=bar). But to work with the received data, you will need to use a programming language.
You can send data but can't process sent data. For it you must use PHP, javascript or something similar...
How can you make a form be able to fill a field with the url?
Example: if i have two fields, username and password, and my form is located at form.html how can I make form.html?username=example automatically fill in "example" in the username field.
The form would have to read variables from the URL and parse them, and then repost those values into a field. For instance, with PHP, it would be:
<?php $sName = $_GET['name']; ?>
...some HTML goes here...
<input type="text" id="name" name="name" value="<?= $sName ?>" size="60" />
This can also be done in jQuery by using location.href value to get the full URL, then split the URL into parts a few times with the split() function, and then use $('#name').val(sName) in jQuery to post the value into that field.
However, there are several security implications you have to consider. It is no longer advisable any more to take a raw GET value without running it through some XSS prevention steps:
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Here's something that malicious people may use against a site that works with raw GET values:
http://ha.ckers.org/xss.html
So beware.
OK, so the user puts this URL into his browser, a request is made to the server, and the page comes back to the user. There are two general approaches you can use to filling in the form details. 1. You can make it happen on the server. 2. You can make it happen on the client. If you want to make it happen on the server then you're going to need to use a server-side technology like ASP.NET, PHP, JSP, etc. If you want to make it happen on the client then you'll need a client-side technology that will almost certainly be javascript.
There's a whole lot more to say about this, including warnings about security holes like cross-site scripting, but I'll leave those for now.
The webserver language (e.g. PHP) must access the variables (e.g. $_GET["username"]) and supply them as values to the HTML fields. Don't forget to use method="get" in the HTML.
If your url is form.html, then how are you going to end up with form.html?username=example?
?username=example is a query string. If your submitting your form with a GET method, it will use a query string and append it to your url so the way you'd get form.html?username=example would be if a user entered their username as "example" and then submitted the form.