Are POST Forms trustworthy?

**InfinitySchima** · 05-01-2008, 11:56 AM

Hi there,
I'm currently working on an Online Browser Game which uses many for forms.
I got a question if I can trust in certain form values as some could use certain methods to hack the game.

A simple example:
I got a Select InputBox (<select>...</select>) with 3 options: '1', '2' and '3'.
Can I be sure that the values will ALWAYS be either '1', '2' or '3'; or can it happen that someone finds a way to input '4' in there?

Additionally, is it possible for the user to change the value of an Hidden InputBox (<input type="hidden" />) ?

My doubt is more about the InputBoxes with predefined values, for TextBoxes I already use validation methods.

Thanks in advance,
Schimassek...

PS: I also heard that there is a Security Mechanism for a site only to accept forms from its own site. Is that correct and must I enable it before on my server?

**Mooofasa** · 05-01-2008, 12:01 PM

Use form validation.

**InfinitySchima** · 05-01-2008, 12:44 PM

So you mean that additionally to Text Boxes, Text Areas, Password Boxes and File Boxes I should also validate Selection Lists, Check Boxes, Hidden Values and Radio Options?

Schimassek...

**Mooofasa** · 05-01-2008, 03:27 PM

Every input should use validation to reduce risk of violation.

**vangogh** · 05-01-2008, 05:56 PM

You need to validate everything. Someone could copy the source code of your form, change it, and run it from their computer. One of the most basic rules of security is to never trust user input.

Make sure you validate it on the server side. Javascript validation isn't secure. You can use Javascript validation to make things easier on the user, but you have to validate for security on the server.

I think there are a few threads here with more details on validation, but you should be able to find plenty of info searching. Search for 'form validation' and add the language you want to use and you should get a lot of results. Most of your work will go into validating the first form and after that you'll be able to copy your code with some modification to your other forms.

**willcode4beer** · 05-01-2008, 08:38 PM

Quote:

Originally Posted by vangogh

Make sure you validate it on the server side. Javascript validation isn't secure.

double plus good

**InfinitySchima** · 05-02-2008, 02:48 AM

Thanks on that, now I'm clear about this subject.

I guess I'm going to have a big hack testing time....

**nickohrn** · 05-02-2008, 08:39 AM

I'd just like to reiterate the sentiments already expressed here. If you are receiving any data to your web site or web service in any format, be it posted forms, SOAP messages, XML messages, or anything else, you need to validate it. Not validating your data is the quickest way to getting your site killed by some script kiddie with too much time and a vindictive streak.