VerbaCom Logo
Form Security

HTML Form Security:

People or robots ("Bad Guys") roam the Internet looking for unsecured Forms and Scripts that they find and attempt to attack.  I will not get into why they do it, but they do. Their actions indicate that they may be attempting to use unsecured Forms or Scripts for everything from a launchpad for SPAM e-mail, to a portal onto hosting webservers where they can compromise the server, install their own programs there, and steal private information stored on that server.

Forms send information through transfer variables for Name, Address, Phone Number, etc. to Scripts where they are processed. This processing commonly includes things like sending the collected information to the site owner as an e-mail, sending a confirmation e-mail to the Form user, storing the entered information in an online database, and displaying a screen indicating that the submission process was successful.

It is through these transfer variables that this malicious activity usually occurs. Bad Guys will try a variety of attacks on the Form/Script pair through the transfer variables. Things like attempts to overload the server (overflow registers), piggyback HTML pages, system commands, mail generating commands, and I'm sure many others. You want to protect, screen and shield these transfer variables as best as you can.

Your first line of defense lies in the standard Form HTML command structure. You want to limit the amount of data that can be entered into one field, since you do not want someone to pipe 100,000 e-mail SPAM messages into your Script through this open door. In the common INPUT command that specifies an input field (NAME="field name"), where the TYPE="TEXT", the length of the text field that displays can be controlled with the SIZE="text length to display" subcommand, but to truly restrict the maximum number of characters that can be fed into this field, you should also include MAXLENGTH="maximum characters to accept".

This is by no means a satisfactory way to protect your Form/Script, since the Bad Guys have figured out long ago how to completely bypass your form and attack the Script directly.

CGI Script Security



Schedules | Register | Contact Us
Home | Mission | Seminars & Workshops | Speakers | Services | Computer Gems