When creating a form, it isn’t a good idea to assume that the form won’t be manipulated. It will be – and you have to make sure that your application will be able to handle these manipulations.
You can find a pretty good example of what I’m talking about here. It’s a story that I found on Reddit and about a man dealing with his ISP. His bill was still coming in his moved away roommate’s name. He couldn’t change the name from the ISP’s website – they asked you to call to change it. He called and ended up paying a fine for the name change. Nothing changed, though. The bill still came in his roommate’s name. What he did then was fairly clever – he changed the value of the disabled form element and then submitted the form. It worked.
Here’s the bottom line – you shouldn’t assume that any form data is valid. Here’s a few examples:
- Disabled form elements (the story above)
- Select elements (you can still change the value of those)
- File elements (for obvious security reasons)
- All text elements (SQL injection)
The methods of checking for form manipulation greatly depend on what you need to do. I’ll go over some specific methods in future posts, as well as a few ways to manipulate forms yourself. Be sure to check back for these posts – they should be coming up soon.
Also – I’m looking for questions about anything related to web development. It would be great if the turnout was a little better than it was the last time that I asked for questions. Thanks in advance!