Lesson 09 - Website Hacking #2 - Form Validations and GET/POST Methods
When it comes to transferring data from one page to another on a website, FORMS is the most obvious way of performing this task. There are a whole bunch of input types available in HTML to read data from the user. A few of them include text, number, data, color, file and so on!
This practice of Validating the inputs before the form is actually submitted is referred to as Form Validation!
There are two different types of form validation which you'll encounter on the web:
1. Client-side validation is validation that occurs in the browser before the data has been submitted to the server. This is more user-friendly than server-side validation as it gives an instant response. This can be further subdivided:
- JavaScript validation is coded using JavaScript. It is completely customizable.
- Built-in form validation using HTML5 form validation features. This generally does not require JavaScript. Built-in form validation has better performance, but it is not as customizable as JavaScript.
2. Server-side validation is validation which occurs on the server after the data has been submitted. The server-side code is used to validate the data before it is saved into the database. If the data fails authentication, a response is sent back to the client to tell the user what corrections to make. Server-side validation is not as user-friendly as client-side validation, as it does not provide errors until the entire form has been submitted. However, server-side validation is your application's last line of defense against incorrect or even malicious data.
In the real world, developers tend to use a combination of client-side and server-side validation.
Let us take a detailed look at FORM VALIDATION :
As an Ethical Hacker, it is our responsibility to ensure that the data being transferred via forms stays safe! A few tips for Validating the form data are :
1. The 'required' attribute
The simplest change you can make to your forms is to mark a text input field as 'required':
Your Name: <input type="text" name="name" required>
This informs the web browser that the field is to be considered mandatory and the form cannot be submitted unless the user enters a value.
2. Use Proper text INPUT types
This is where HTML5 really gets interesting and more useful. Along with the text input type, there are a host of other options, including email, URL, number, tel, date and many others.
On the iPhone/iPad the different input types are associated with different keyboards, making it easier for people to complete your online forms. In other web browsers, they can be used in combination with the required attribute to limit or give advice on allowable input values.
By changing the input type to email while also using the required attribute, the browser can be used to validate (in a limited fashion) email addresses:
Email Address: <input type="email" name="email" required placeholder="Enter a valid email address">
3. Proper usage of getting and POST methods
Another important attribute in the <form> tag is "method".
There are two possible values : "method=GET" and "method=POST"
GET is used to request data from a specified resource.
GET is one of the most common HTTP methods.
While using the GET method, the query string (name/value pairs) is sent in the URL of a GET request :
/test/demo_form.php?name1=value1&name2=value2
---------------------------------------------------
POST is used to send data to a server to create/update a resource, for example, modify values in the database.
The data sent to the server with POST is NOT VISIBLE in the URL :
/test/demo_form.php
---------------------------------------------------
The GET method is typically used for non-sensitive data like Search Queries whereas the POST method is typically used for sensitive data like Username, Password, Email, etc.
Here's a quick video about getting and POST methods :
Comments
Post a Comment