Website 'web form' validation help.

[StrainedEyes]

I designed a website for a small company and on it is a registration form that people fill out and submit. I used the Dreamweaver behaviors panel to add javascript validation to the form, but I know how easily bypassed this is. I am an extreme novice when it comes to web coding, I built the Form's .php action by watching a youtube video that explained step by step how to code.

The website receives a lot of submissions from fake email addresses or foreign email address with gibberish written in the rest of the form. I did not know before today that these could be hackers trying to get into the server and mess with the emails and site server. I have the javascript validation for the email address and name etc... but it does not help.

What I want to know, if anyone can help, is how to code Server side validation, which is much more secure then javascript. If anyone can point me in the right direction it would be appreciated.

http://www.ies2400.com/students/start/registrationform.html This is the form in question, I don't know if it helps.

 

[Malice]

I would love to help, but I really am not good at code...

 

[StrainedEyes]

I would love to help, but I really am not good at code...

Coding is ridiculously complicated.

 

[bgates87]

Well, I can help you but it's kind of hard to figure out where to start.

If you want secure forms, you have to do all validation on the server side, as you know. Besides the things the JavaScript validates (which should be validated again on the server side because it's easy to override JavaScript validation), probably the most important thing your validation code should do is to check the data for any quotation marks or parenthesis and either add escape sequences, remove them, or return the data to the user as invalid. That will stop the majority of attacks from hackers, because it's the first step in SQL-injection, a common type of hacking. (check out this site to learn more about how hackers attack websites).

Of course, you need to have a basic understanding of PHP in order to do server-side validation. I've written my own validation code in PHP a few times but it would be easier (and more accurate) just to point you to this site.

I also noticed another thing while looking at your site. You should set up your server so that users can't see directory listings. For example, I shouldn't be able to see this page. If you are in charge of the server the site is hosted on, you can prevent directory listings by typing " IndexIgnore * " on a new line at the bottom of the .htaccess file. If you aren't in charge of the server that's hosting the site then you need to get in contact with whoever is and access them to prevent directory listings for your site.

Anyways, that should give you some stuff to work on, and the links I provided should get you started. It's not easy to learn, so if the links I gave you don't help you can probably find some that do with google or by going to your local library and looking for a big fat book that says "PHP" on the side.

 

[StrainedEyes]

Thanks, I'll try and wrap my head around everything.

The site is hosted through Yahoo, and I don't think they support .htaccess files. Maybe I'll make those pages password protected or something.