Forums

chronoform securities that endeavor?

iacoposk8 28 Mar, 2012
I did some testing by creating a very simple form.
protected from attack seems like sql injection and xxs:
strings as <script>alert("hello");</script> and <?php echo "hello"; ?> are transformed.
But the validation of the fields seems to be client side only (with js)
And I managed to pass, how can I be sure that the inclusion of fields in a db is valid?
iacoposk8 28 Mar, 2012
I stand corrected! in the above example I used a form from the past and did not remember having filtered the data with $name=JRequest::getVar('name','','post');
By creating a new form I saw it was subject to sql injection and xxs
GreyHead 28 Mar, 2012
Hi iacoposk8,

You need to filter your data, ChronoForms has no way to know what you want to allow or reject. You can use the AutoServerside validation for some basic go/no-go checks; or use Custom serverside validation to apply filters or strip unwanted parts of your code.

In the example you use adding
$form->data['name'] = JRequest::getString('name','','post');

or
$form->data['name'] = filter_var($form->data['name'], FILTER_SANITIZE_STRING);


Bob
This topic is locked and no more replies can be posted.