Forms on your Site – Watch out for Unintended Consequences

2007 November 2
by

Whenever a web site is collecting information (names, addresses, credit card numbers, …) or providing pages that are generated from stored information it is important that your developer build-in validation. If checks are not built into forms there can be bad consequences that include loss of your stored data, release of private information and over use of bandwidth. Validation should include checks on information within the browser and at the server.

Issues that occur from data passed from a web page can be innocent or malicious. Examples of innocent problems include required information not entered or information that is not valid (an example is email not in the proper format).  The first place this problem should be handled is in the browser. The developer can use code within the web page to check for existence and validity of information. This has the advantage of letting the user know of problems quickly and can point her to the area for correction. Good web page design both limits the size of fields and validates information before sending it off to the server.

Certain characters have special meaning when used with a database. It is critically important to handle these characters properly before that data is entered into storage or used for retrievals. The single quote is one such character. If the user name is O’Brien for example, when entered as Last Name this is legitimate and must be properly handled. If this is not done there will be unintended consequences such as loss of data.

Data passed from a browser to the server is accomplished by bundling it in the http protocol message. This http message is easy to generate directly which might contain malicious content so even if data is validated at the browser it still must be rechecked before used at the server side.

Another area that may have to be considered for some sites is preventing malicious repetition of requests in order to bring down a site. One technique to prevent these automatic attacks is to require the requester to include a human readable image called captchas (the user must enter the character seen within an image). For collection of data that is sensitive (i.e. credit card numbers) the use of https protocol (encryption/authentication) is highly recommended.

A good design must go beyond presentation and handle users who may not be careful or thorough as well as users that may attack your site. It is important that your developer understand the technologies and have the ability to handle data that occurs when a site is exposed to “real” users.

from → client resources

No comments yet

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS