6 tips to improve the security of your web forms
by Gaurav Gupta
One of the main considerations when creating a website is the security of the forms. These can become sensitive points of entry into the system. An insecure form can range from overloading a server to accessing and modifying information stored in a database. Here we list 6 simple steps to ensure that the forms of a web project are protected.
Any form should always send the information of its content using the POST method. With POST, the form values travel hidden to the destination script. If a form uses the GET method, all information on it will be displayed in the address bar of the browser.
It is necessary that the script that is going to process the form information has some way of recognizing that the information actually comes from the form for which it was designed. To do this, you usually use a token or encrypted code that is sent as a hidden field in the form and that the script can decrypt to validate whether it processes or rejects the form.
Most web development frameworks, such as Cake PHP , already integrate the token as an automatic validation in their forms.
CSRF stands for Cross Site Request Forgery in Spanish. This type of vulnerability tries to send data from a form to a script located on a different website. To avoid this attack you must check the website from which the form comes from. For example, in PHP you can use the variable $ _SERVER [” HTTP_REFERER “] to validate where the information comes from. However, this variable can be modifiable or not provided, so a more reliable way to validate that the form has been sent from the corresponding domain is by using Cookies.
Validations Java script
There are many libraries for java script that allow to facilitate the validation of a form before its sending. For example Jquery Validate is a plugin of the Jquery library that allows validations of numeric fields and emails in a very simple format. Similarly, Masket Input is another Jquery plugin that not only restricts the type and number of characters supported in an input, but also gives them format as the user types.
// assuming that $ entry saves the value sent by the form // $ entry_txt will store a string of secure text $ input_txt = htmlentities (trim (strip _tags (strip slashes ($ entry)), ENT_NOQUOTES, “UTF-8”); // in this case $ entry_html will store a string with html $ entry_html = strip_tags (htmlentities (trim (stripslashes ($ entry)), ENT_NOQUOTES, “UTF-8”);
A captcha is a distorted image that contains a code that the user must read and enter in a field of the form. The idea is that being an image and being distorted will prevent malicious code from sending attacks on the form.
They are simple steps, simple validations that can save you money and many headaches.