Buy Now
Sign in

Serverside validation

stijnst , September 01 2019, 23:12
S
stijnst 13
September 01 2019, 23:12 #389080
Hello
Is there server-side validation of user-data in Chronoforms v6?
Since a couple of weeks (and after a ChronoForms upgrade iirc) I get 1 or 2 form submissions a week with empty data stored in the database (except for the 'created' timestamp), although all the fields are required, or even marked as 'Email'. Also after setting a minimum length I keep getting empty records stored in the database.
I tested with multiple browsers and the form doesn't allow me to submit with a single empty field, but that's user-side validation.
Since 1 week, I added the IP address to the data using an override. Now I get empty records with an IP address. (and a 'created' timestamp). Originating from what seems to be a crawler.
The 'Save Data' action is properly nested inside the 'Validate Fields' action in the 'Submit' event.
the 'Data Provider' for the 'Validate Fields' action is set to: {data:}
the 'Model Name' for the 'Save Data' action is set to: data
ps this is for all 3 forms currently active on our website.
ps maybe related: after the update a couple of weeks ago, I found out that forms weren't saving any data any more. After some investigation I found out that I had to change the 'Model name' in the 'Save Data' event from 'DataX' to 'data', with X being the number automatically assigned to the 'Save Data' action name, e.g. if the 'Save Data's' action name was 'save_data8' the Model Name was 'Data8'.
I'm not sure what the Model Name was before the upgrade, but I am sure that the forms were storing their data correctly before the upgrade. Now they again store data correctly, except for the issue above.
off topic: The text field I'm typing this message in has some problems: ctrl+backspace to erase a complete word doesn't work, and pasted text appears at the end of the current paragraph instead of at the cursor. (Firefox v68 on win7x64)
GreyHead 64
September 02 2019, 07:31 #389083
Hi stijnst ,
In CFv6 there is an Enable Server Validations setting on the Settings|Advanced tab and I believe that you use the Validate Data action to check the results. And there is a second Validate Fields action that seems to do more or less the same things?
Bob
ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much
S
stijnst 13
October 02 2019, 23:24 #389392
Hello Bob
I'm using v6. The option to 'Enable server validations' didn't appear until I changed the 'Designer mode' from 'v6 classic mode' to 'New v6.1 mode'.
Once the Designer mode was changed, I noticed that an 'App type' could be set. It was set to 'Aangepast' (in Dutch, translates roughly to Adjusted / Adapted), with the other option being 'Formulier' (Form). I didn't touch this setting.
After waiting for some days, I again got some empty entries. To be sure 'server validations' was really activated, I disabled it, saved the form, enabled server validations again, and saved the form again. Unfortunately, again some empty entries some days later.
Just out of curiosity, I disabled javascriptin my browser and submitted the same form myself, without filling in any data. To my surprise the server-side validation worked, and served me the same form again, indicating the fields that didn't pass validation because they were left empty.
Some more testing learned me that filling in spaces is enough to bypass a a simple 'required' field, with a minimum length configured. The records in the database are empty strings though, including the e-mail field that can't be fooled by some spaces.
Right now I'm searching the webserver's logfiles, looking for the empty record submitted yesterday. I could find the corresponding request, but to my surprise:
-It's a GET request, not a POST request: GET /path/to/page?chronoform=myFormAlias&event=submit&view=form
-If I request the same string with my browser, the server-side validation is still working.

In conclusion: it is somehow possible to bypass server side validation, I have no clue why.
kind regards
Stijn
S
stijnst 13
October 13 2019, 22:57 #389541
Hello Bob
Meanwhile I did an upgrade form Joomla 3.8.13 to 3.9.12 on the 7th of October. I have 3 forms published, which were made in Chronoforms 6.0. (or maybe imported from chronoforms 4 when we migrated to Chronoforms 6? I can't remember anymore). All 3 forms did previously generate empty records.
for one form I rearranged/sanitized the views and actions because the v6 classic to new v6.1 change left the form rather messy (double tag in the html, every view and action on it's own page,...). up until now, no empty records yet. But let's wait for a week extra to be sure.
the 2nd form was changed from v6 classic mode to new v6.1 mode, but without rearranging/sanitizing the views and actions. App type is not set to 'form' in order to not generate a double tag in the html code. it did generate some empty records
the 3rd form was left as is: classic v6 mode. some empty records last week.
So the Joomla version doesn't seem to matter and it might have to do with the way classic v6 forms are processed and transformed in v6.1. I'll report back in a week...
H
hsmith 11
November 12 2019, 07:52 #389962
Hi Stijn,
Did you have any further empty entries on the sanitized form? I'm running into the same issue, and I cannot seem to pinpoint how the server validation is being bypassed. I've tried everything from changing the app type to disabling AJAX. I also have the "server side validation" turned on in setting and have a redundant server side validation action set as well.
Thanks,
Holden
S
stijnst 13
November 13 2019, 23:32 #389993
Hello Holden
I no longer received empty records for the forms in which I rearranged and sanitized the views and actions. I still receive empty records for one form that I left in 'v6 classic mode' after the chronoforms update to 6.1.