php - Do I need to secure a form that is not connected to a database

807

I have read about security issues when it comes to sql injections and so on.

I am not too familiar with security vulnerabilities in input fields.

I currently have a form that takes in inputs (the are validated through regex) for example an email validation would be the following:

if(/^([\w-]+(?:\.[\w-]+)*)@((?:[\w-]+\.)*\w[\w-]{0,66})\.([a-z]{2,6}(?:\.[a-z]{2})?)$/i.test(document.getElementById(idName).value)){
    return true;
}else{
    return false;
}

These values are not connected to the database and are only used in a php script. Are there any security vulnerabilities that I need to be aware of? Or by using regex validations I am safe against vulnerabilities?

Any information is much appreciated,

Thank you, Al

631

Answer

Solution:

Yes. You should definitely not rely on the client side validation through the javascript regex in case you are interested in having a valid email (at least valid against your regex) on the server side. Imagine somebody changing the client side code to the following (just one option of thousands :)):

if(/^([\w-]+(?:\.[\w-]+)*)@((?:[\w-]+\.)*\w[\w-]{0,66})\.([a-z]{2,6}(?:\.[a-z]{2})?)$/i.test(document.getElementById(idName).value)){
    return true;
}else{
    // CHANGED:
    return true;
}

And to generally answer your question: I think in almost all cases where you use input send by the client in your php code, you need a kind of input filtering/sanitazation but you cannot really generalize this task. That's why there is no generally valid sanitize() function out there since it always depends on how you use the input on the server side.

An approach in your case could be to validate the input again against the same regex via php or to use php's filter_var() in combination with the FILTER_VALIDATE_EMAIL filter

UPDATE

I just found again a very nice article about input validation which helped me a lot: Input validation

People are also looking for solutions to the problem: PHP prepared statement breaks using Inner Join

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.