HomeDesigning Your WebsiteHTML, CSS, and Javascript

secure forms

evvo posted this at 16:07 — 23rd September 2002.

They have: 26 posts

Joined: Nov 2001

how is the best way to protect forms that take customer comments from malicious code such as javascript? the option we have taken disallows certain characters -

; > * ~ \ . @ < % $ " #

is this the best method or are there better options?

sometimes a customer will complain at not being able to enter these characters.

Busy posted this at 21:30 — 23rd September 2002.

Busy's picture

He has: 6,151 posts

Joined: May 2001

you can convert them in a function before hand (or use ASP, PHP etc)

&gt; = >
&lt; = <
...

if you need the list of special characters I have one on my html site, link in sig (page = special characters)

ROB posted this at 08:25 — 24th September 2002.

They have: 447 posts

Joined: Oct 1999

yes, as Busy said rather than disallowing characters which is sure to annoy the hell out of anyone who tries to post, just convert risky characters into entities.

you can get make a list of character codes simply by doing this (assuming php):

<?php
for($i=0; $i<=1000; ++$i):
    echo \"&amp;#$i = &#$i<BR>\n\";
endfor;
?>

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.