Analysis and comparison of four forms verification methods

Objective

Any site that can interact has input forms that, whenever possible, should validate the data entered by the user. Regardless of the server backend is what kind of system, are not willing to waste time on some invalid information, must check the form data, if there is not conform to the requirements of the form input, should be returned in time and give the appropriate information. This article will enumerate four kinds of different principles of form authentication method, and give the implementation of each method on the PHP server.

Browser-side validation

Traditionally, form data is typically validated by browser-side Javascript. The browser side of the verification speed is fast, if there is not meet the requirements of input, response information quickly returned to the user. Because validating data does not need to be submitted to the server, the load on the server is not aggravated. A browser-side validation process, as shown in Figure 1, forms submission, which, if validated, submits the server processing and returns to the user without success.

Figure 1. Browser-side validation schematic diagram

The various forms validation methods presented in this article are in the form of a simple form that contains "UserName" and "Password" two text input boxes, and a "Submit" button. Code Listing 1 shows an example of browser-side Javascript validation. If the "UserName" or "Password" input does not meet the requirements, prompt the user in the form of a pop-up box and return False to stop the form submission.

Listing 1. Browser-side Javascript validation code

　function　validform(thisForm)
　　 {
　　　 error_string　=　"";
　　　 if((message=checkusername(thisForm.username))!="")
　　　　 {
　　　　　 error_string="UserName:"
　　　　　 error_string　+=　message;
　　　　　 alert(error_string);
　　　　　 return　false;
　　　　　 }
　　　 if((message　=　checkpassword(thisForm.pass))!="")
　　　　 {
　　　　　 error_string="Password:"
　　　　　 error_string　+=　message;
　　　　　 alert(error_string);
　　　　　 return　false;
　　　　　 }
　　　　 return　true；
　　 }

You can see from Figure 1 that this form verification method has a fatal disadvantage, many tools can be after the form test, the browser sent the request before the form data interception, the attacker can modify the data in the request, bypassing JavaScript, to inject malicious data into the server, which will increase the XSS (full name Cross Site scripting) The probability of an attack. For a typical web site, the browser-side form validation method is not favoured.