1

Any one of you who has worked on CI knows that it uses a segmental approach for the urls, eg.:

index.php/controller/function/params

Let's suppose I have put in place the following URL to submit the contact us form info:

index.php/contact/submit_contact

Now there is one thing that seems wrong. What if a bad guy sees the source code of my contact us page and looks at the action attribute of the form? He can simply copy-and-paste into a browser's address bar directly and my form will be submitted with empty values.

Another bad thing he can do and mostly likely will do is the CSFR cross-site-forgery.

How to avoid this problem.

Note: I know I need to validate my form against empty values and not submit it if fields are empty, but I am looking for a better generic solution to this problem.

Improve this question
1
  • Y'know, that can happen with all your forms out there. Looking at the value of the action attribute is no magic. And CI is no different here than, e.g., /submit.cgi. Commented Dec 23, 2009 at 9:33

4 Answers 4

Reset to default
11

There is no better solution to this problem. Every web page you ever build should assume that all input coming from a user is hostile, and handle it accordingly.

The proper thing to do in this situation is attempt to validate the form, and when you discover that you have some incorrect or unacceptable values, re-output the form with error messages indicating the problems, and allow the user to fix it up before re-submitting. Code Igniter has an entire Form Validation module dedicated to this exact process.

Even if you use Javascript to validate a form and prevent it from submitting if it's not correct, you still need to repeat the validation on the server-side, since anyone can turn off Javascript before submitting a form full of bad values.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

One not-so-cool solution is to use CAPTCHA's. They will stop anyone from just submitting to your form action but it will also annoy your users.

http://codeigniter.com/wiki/captcha/

Improve this answer

Comments

1

The CodeIgniter form validation stuff is easy to use and handles most common cases automatically.

Improve this answer

1 Comment

Form validation wouldn't stop this.
1

Here's some elaboration on zombat's solution with code examples.

I usually have the form post to the same controller/method. Then I let $this->form_validation->run() handle all the dirty work. If $_POST data is present, the validator checks the rules. If it passes I redirect them to a success page, otherwise the same page is presented with validation errors displayed in the repopulated form.

class Contact extends CI_Controller {

    function __construct() {
        parent::__construct();
    }

    function index() {
        /*
            the foreach() line makes each field visible
            to form_validation so we can reliably
            repopulate (using set_value, set_checkbox,
            etc) fields that have no validation rules

            example: since 'phone' has no rules, we would
            not be able to repopulate that field if
            validation failed
        */
        foreach ($_POST as $key => $value) $this->form_validation->set_rules($key, '', '');
        $this->form_validation->set_rules('first_name', 'First Name', 'required|min_length[2]');
        $this->form_validation->set_rules('last_name', 'Last Name', 'required|min_length[2]');
        $this->form_validation->set_rules('email', 'Email Address', 'required|strtolower|valid_email');
        if ($this->form_validation->run() == FALSE) {
            $this->load->view('contact_form');
        } else {
            /*
                save form data, email it, etc
                then redirect the user so they
                cannot re-submit the same data
            */
            redirect('contact/success');
        }
    }

    function success() {
        $this->load->view('contact_success');
    }

}

Example HTML for application/views/contact_form.php

<form method="post" action="<?php echo current_url(); ?>">
    <table>
        <tr>
            <td>First Name</td>
            <td><?php echo form_input('first_name', set_value('first_name')); ?>
            <?php echo form_error('first_name'); ?></td>
        </tr>
        <tr>
            <td>Last Name</td>
            <td><?php echo form_input('last_name', set_value('last_name')); ?>
            <?php echo form_error('last_name'); ?></td>
        </tr>
        <tr>
            <td>Email Address</td>
            <td><?php echo form_input('email', set_value('email')); ?>
            <?php echo form_error('email'); ?></td>
        </tr>
        <tr>
            <td>Phone Number</td>
            <td><?php echo form_input('phone', set_value('phone')); ?>
            <?php echo form_error('phone'); ?></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><button type="submit">Send Message</button></td>
        </tr>
    </table>
</form>

I have absolutely no worries about CSFR or XSS doing it this way.

Note: As with any publicly accessible form, there are always going to be junk submissions (from bots AND real people trying to solicit business). If you encounter a lot of them, fine-tune your validation rules accordingly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.