Hi everyone. It seems that I've got this form working for the most part (it forces required fields, allows the type of data I want to allow, and emails the data to my specified recipient) but I want it as secure as possible. I'm not very well versed in security but from my understanding, malicious users can use html tags to insert malicious javascript code. Is there a way to strip html tags and other special character from user input using ChronoForms? Will simply validating each field for alphanumeric data be enough to disallow html tags and special characters?
Thanks,
Angel
Thanks,
Angel
Hi Angel,
There are several layers of security that you can add.
The first is the JavScript validation - but this is easily bypassed and really does no more than check that the normal user is being sensible.
The second line is server-side validation; this can be your main line of defence and ideally you will revalidate do two things here. Revalidate all of the specified inputs, and pass them all through the PHP filters. Joomla! has these built in to the JRequest method so all you need to do with a typical string input is
If necessary the third line is to revalidate before you make use of the data for example, use the $db->getEscaped() method before inserting any unchecked data into a table.
Bob
There are several layers of security that you can add.
The first is the JavScript validation - but this is easily bypassed and really does no more than check that the normal user is being sensible.
The second line is server-side validation; this can be your main line of defence and ideally you will revalidate do two things here. Revalidate all of the specified inputs, and pass them all through the PHP filters. Joomla! has these built in to the JRequest method so all you need to do with a typical string input is
<?php
$input = JRequest::getString('some_input', 'default value', 'post');
JRequest::setVar('some_input', $input);
?>If necessary the third line is to revalidate before you make use of the data for example, use the $db->getEscaped() method before inserting any unchecked data into a table.
Bob
This topic is locked and no more replies can be posted.
