Forums

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

Security Advise

b1
b1naryc0de 04 Feb, 2009
Hi there..

I have a question here.. Hope you guys can give me an advise..

How to prevent people from submit php code or any code through input text or textarea?

I have tested create simple form with textarea to key in text.. Then I try key in php code inside the textarea.. The php code is stored inside database.. When I connect it with connectivity and run it, the code also run instead of being just text.. This could be security vulnerable.
Gr
GreyHead 04 Feb, 2009
Hi b1naryc0de,

Validate and clean the input before it is stored in the database. You can use code in the OnSubmit boxes to filter the user input. As a minimum you should probably use JRequest::GetVar() before using any variable.

Note that ChronoForms does **not** filter input for you as there are some users who may wish to allow code in textareas.

Bob
b1
b1naryc0de 04 Feb, 2009
Thank you for your reply..

I'm not familiar with Joomla coding..

1) Just to make sure.. Is this the correct code?

Let say the textarea name is 'name';

So the code to retrieve 'name' value is:
$name_value = JRequest::GetVar('name');
if (ereg(some expression))
{
(code2)
}

2) If I put it in OnSubmit code - before sending email box, how I can block the data before it stored in the database? For example in code above what should i put in (code2) to:
- block data from stored
- get back to form and display error

Thank you in advance for your help..
Gr
GreyHead 04 Feb, 2009
Hi b1naryc0de,

The correct code to use depends on the data you are expecting - Joomla has a range of different filters that can be used. See the API here for more information.

You can either test and clean the code before it is stored in the database; or you can use the Server side validation box on the Validation tab to test the code, then return to the form with an error message for re-submission.

As I say, it all depends on your particular application.

Bob
b1
b1naryc0de 04 Feb, 2009
Before I settled my form validation I noticed this error when I remove form redirect url:

Parse error: syntax error, unexpected ':', expecting ',' or ';' in (my web directory)/components/com_chronocontact/chronocontact.php(533) : eval()'d code on line 2

I only insert form html as below:
<h1 class="cf_text" id="null">Employer Request Form</h1>
<table>
	<tr>
		<td>
			<label>Company Name</label>
		</td>
		<td>
			<input name="company_name" type="text" id="company_name" size="30" maxlength="150">
		</td>
	</tr>
	<tr>
		<td>
			<label>Contact Person</label>
		</td>
		<td>
			<input name="contact_person" type="text" id="contact_person" size="30" maxlength="150">
		</td>
	</tr>
	<tr>
		<td>
			<label>Telephone (Office)</label>
		</td>
		<td>
			<input name="telephone_office" type="text" id="telephone_office" size="15" maxlength="50">
		</td>
	</tr>
	<tr>
		<td>
			<label>Telephone (HP)</label>
		</td>
		<td>
			<input name="telephone_hp" type="text" id="telephone_hp" size="15" maxlength="50">
		</td>
	</tr>
	<tr>
		<td>
			<label>Fax</label>
		</td>
		<td>
			<input name="fax" type="text" id="fax" size="15" maxlength="50">
		</td>
	</tr>
	<tr>
		<td>
			<label>Address</label>
		</td>
		<td>
			<input name="address" type="text" id="address" size="50" maxlength="150">
		</td>
	</tr>
	<tr>
		<td>
			<label>Postcode</label>
		</td>
		<td>
			<input name="postcode" type="text" id="postcode" size="5" maxlength="5" onKeyPress="return numbersonly(this, event)">
		</td>
	</tr>
	<tr>
		<td>
			<label>City</label>
		</td>
		<td>
			<input name="city" type="text" id="city" size="30" maxlength="150">
		</td>
	</tr>
	<tr>
		<td>
			<label>State</label>
		</td>
		<td>
			<input name="state" type="text" id="state" size="30" maxlength="150">
		</td>
	</tr>
	<tr>
		<td>
			<label>Nature of Business</label>
		</td>
		<td>
			<textarea name="business_nature" cols="30" id="business_nature" rows="3"></textarea>
		</td>
	</tr>
</table>
<h3>Positions Available</h3>
<h4>Position 1</h4>
<table>
	<tr>
		<td align="center">
			Position
		</td>
		<td align="center">
			No. Of Vacancies
		</td>
		<td align="center">
			Job Nature
		</td>
		<td align="center">
			Salary (RM)
		</td>
	</tr>
	<tr>
		<td valign="top" align="center">
			<input name="position_1" type="text" id="position_1" size="20" maxlength="150">
		</td>
		<td valign="top" align="center">
			<input name="vacancies_1" type="text" id="vacancies_1" size="5" maxlength="3" onKeyPress="return numbersonly(this, event)">
		</td>
		<td valign="top" align="center">
			<select name="job_nature_1" id="job_nature_1">
				<option value="permanent">Permanent</option>
				<option value="part time">Part Time</option>
				<option value="contract">Contract</option>
			</select>
		</td>
		<td valign="top" align="center">
			<input name="salary_1" type="text" id="salary_1" size="10" maxlength="20">
		</td>
	</tr>
	<tr>
		<td align="center" colspan="2">
			Job Description
		</td>
		<td align="center" colspan="2">
			Academy Qualification
		</td>
	</tr>
	<tr>
		<td valign="top" align="center" colspan="2">
			<textarea name="job_desc_1" cols="30" id="job_desc_1" rows="5"></textarea>
		</td>
		<td valign="top" align="center" colspan="2">
			<textarea name="academy_1" cols="30" id="academy_1" rows="5"></textarea>
		</td>
	</tr>
	<tr>
		<td align="center" colspan="2">
			Experience Required
		</td>
		<td align="center" colspan="2">
			Spoken and Written Skill
		</td>
	</tr>
	<tr>
		<td valign="top" align="center" colspan="2">
			<textarea name="experience_1" cols="30" id="experience_1" rows="5"></textarea>
		</td>
		<td valign="top" align="center" colspan="2">
			<textarea name="speakwrite_1" cols="30" id="speakwrite_1" rows="5">(Type in priority sequence) eg. English, Malay, Mandarin</textarea>
		</td>
	</tr>
	<tr>
		<td align="center" colspan="2">
			Other Skill Required (Specified)
		</td>
		<td align="center" colspan="2">
			
		</td>
	</tr>
	<tr>
		<td valign="top" align="center" colspan="2">
			<textarea name="otherskill_1" cols="30" id="otherskill_1" rows="5"></textarea>
		</td>
		<td valign="top" align="center" colspan="2">
			
		</td>
	</tr>
</table>
<h4>Position 2</h4>
<table>
	<tr>
		<td align="center">
			Position
		</td>
		<td align="center">
			No. Of Vacancies
		</td>
		<td align="center">
			Job Nature
		</td>
		<td align="center">
			Salary (RM)
		</td>
	</tr>
	<tr>
		<td valign="top" align="center">
			<input name="position_2" type="text" id="position_2" size="20" maxlength="150">
		</td>
		<td valign="top" align="center">
			<input name="vacancies_2" type="text" id="vacancies_2" size="5" maxlength="3" onKeyPress="return numbersonly(this, event)">
		</td>
		<td valign="top" align="center">
			<select name="job_nature_2" id="job_nature_2">
				<option value="permanent">Permanent</option>
				<option value="part time">Part Time</option>
				<option value="contract">Contract</option>
			</select>
		</td>
		<td valign="top" align="center">
			<input name="salary_2" type="text" id="salary_2" size="10" maxlength="20">
		</td>
	</tr>
	<tr>
		<td align="center" colspan="2">
			Job Description
		</td>
		<td align="center" colspan="2">
			Academy Qualification
		</td>
	</tr>
	<tr>
		<td valign="top" align="center" colspan="2">
			<textarea name="job_desc_2" cols="30" id="job_desc_2" rows="5"></textarea>
		</td>
		<td valign="top" align="center" colspan="2">
			<textarea name="academy_2" cols="30" id="academy_2" rows="5"></textarea>
		</td>
	</tr>
	<tr>
		<td align="center" colspan="2">
			Experience Required
		</td>
		<td align="center" colspan="2">
			Spoken and Written Skill
		</td>
	</tr>
	<tr>
		<td valign="top" align="center" colspan="2">
			<textarea name="experience_2" cols="30" id="experience_2" rows="5"></textarea>
		</td>
		<td valign="top" align="center" colspan="2">
			<textarea name="speakwrite_2" cols="30" id="speakwrite_2" rows="5">(Type in priority sequence) eg. English, Malay, Mandarin</textarea>
		</td>
	</tr>
	<tr>
		<td align="center" colspan="2">
			Other Skill Required (Specified)
		</td>
		<td align="center" colspan="2">
			
		</td>
	</tr>
	<tr>
		<td valign="top" align="center" colspan="2">
			<textarea name="otherskill_2" cols="30" id="otherskill_2" rows="5"></textarea>
		</td>
		<td valign="top" align="center" colspan="2">
			
		</td>
	</tr>
</table>
<br /><br />
<table>
	<tr>
		<td>
			<input name="submit_employer" type="submit" value="Submit">
		</td>
		<td>
			<input type="reset" value="Reset">
		</td>
	</tr>
</table>


And form javacript as below:
function numbersonly(myfield, e, dec)
{
var key;
var keychar;

if (window.event)
   key = window.event.keyCode;
else if (e)
   key = e.which;
else
   return true;
keychar = String.fromCharCode(key);

// control keys
if ((key==null) || (key==0) || (key==8) || 
    (key==9) || (key==13) || (key==27) )
   return true;

// numbers
else if ((("0123456789").indexOf(keychar) > -1))
   return true;

// decimal point jump
else if (dec && (keychar == "."))
   {
   myfield.form.elements[dec].focus();
   return false;
   }
else
   return false;
}


What course the problem? The data is stored correctly..
Gr
GreyHead 04 Feb, 2009
Hi b1naryc0de,

Do you have anything in the OnSubmit code boxes - those are the closest 'eval's to line 533 that I can see?

If not. . . [sendfb][/sendfb]
Bob
b1
b1naryc0de 06 Feb, 2009
Hi bob,

Sorry for late reply.. Quite busy recently..

Yes you are right bob.. I forgot that I inserted code in 'On Submit code after email' before.. That is where the problem come from.. I've remove the code and no more error..

For form security I'm not yet have time to settle it.. However, now I understand where to put the code for that purpose..

Thank you bob for your help.. 😀
This topic is locked and no more replies can be posted.