OK so i hear all this talk about you must always validate your forms ...now i do this with php; however, i thought hmm i want to see what i can do to a form that has no validation, so i set out and made a very simple form:
<?php
echo '<form name="input" action="formbreaker.php" method="post">
Username:
<input type="text" name="user" />
<input type="submit" value="Submit" />
</form>'
?>
in my formbreaker.php file, i simply used echo $_POST['user'];
now for the life of me, i tried inserting all kinds of things into the form and the only code i was able to get to execute was html...so i ask, why is from validation necessary if it seems like there is no code that an attacker can use to gain access to ones server.....
i tried inserting php code that would write a file to my server....the file was not written however....so i ask...is validation a thing of old days, and has the php engine finally been updated to make it so attacks arent possible, in which case we can breath a sigh of relief and finally stop validating our forms......
please you guys copy this form and action file and tell me if you were able to come up with anything? i tried alot of things such as echo commands just so i can see if any of the php injected into the form was even being run, but it seems it wasnt....i tried writing files, returning values and whatnot...to no avail.....if you guys find a way to show that the form is not safe please post which code you entered into the form to break it.
to the guy who posted first....if thats how you validate your forms...please show me your website...i woould be happy to break into it...what would happen if i had java script off? or wrote my own script....please stop answering my question for points
<?php
echo '<form name="input" action="formbreaker.php" method="post">
Username:
<input type="text" name="user" />
<input type="submit" value="Submit" />
</form>'
?>
in my formbreaker.php file, i simply used echo $_POST['user'];
now for the life of me, i tried inserting all kinds of things into the form and the only code i was able to get to execute was html...so i ask, why is from validation necessary if it seems like there is no code that an attacker can use to gain access to ones server.....
i tried inserting php code that would write a file to my server....the file was not written however....so i ask...is validation a thing of old days, and has the php engine finally been updated to make it so attacks arent possible, in which case we can breath a sigh of relief and finally stop validating our forms......
please you guys copy this form and action file and tell me if you were able to come up with anything? i tried alot of things such as echo commands just so i can see if any of the php injected into the form was even being run, but it seems it wasnt....i tried writing files, returning values and whatnot...to no avail.....if you guys find a way to show that the form is not safe please post which code you entered into the form to break it.
to the guy who posted first....if thats how you validate your forms...please show me your website...i woould be happy to break into it...what would happen if i had java script off? or wrote my own script....please stop answering my question for points