Hi All !

I'm wondering about the possibility of insuring that malicious or curious users can't circumvent security measures in forms processing to pass unwanted strings or numerics to my server. Javascript can be subverted right? And is server side only really efficient due to the increased roundtrips caused by errors not caught on the client? It seems that a combination of the two is best. DOes anyone know about how to securely process forms or have knowledge of the whereabouts of a good article on the subject they'd like to share?

Much appreciated,
Rich

Welcome here.

server sided formevaluation is more secretive --> doesn't show the user what exactly is checked, which makes it harder for him to know what happens with the values he submits. But he'll always know which values he posts
But my rules of thumb are:
- check the value to see if it is in the expected format --> if you expect a numerical value, then check via IsNum() etc. Look into regexs
- check the length of the value --> if it is a fixed length this is easy, otherwise have an upper and lower bound
- if you print strings to the browser, always use server.htmlencode() to avoid script from being executed on the client instead of being printed.
- if you expect to find unwanted tags simply check for '<' '>' characters and redirect the user.
- and most importantly, monitor your trafic. Log errors against the above rules and compose a blacklist of unwanted IP's (if you find someone with a static IP lurking around) where you check against in your global.asa

I never use clientsided javascrip. (not everyone has it enabled, not 'safe', not necessary)

I usually use both client-side javascript and server-side validation - as raf said, the main thing is to make sure before processing any form input that you have validated it against a regular expression or whatnot...

... for instance if you're expecting numeric input (digits only), you'd want to run it through a function like the one below:

Function IsDigits(str)
Dim idRegEx
Set idRegEx = New RegExp
idRegEx.Pattern = "^\d+$"
IsDigits = idRegEx.Test(str)
End Function

Also, regardless of whether or not you're using client-side javascript to validate input, you should _always_ validate on the server-side!

Also, raf is right here too:

- if you print strings to the browser, always use server.htmlencode() to avoid script from being executed on the client instead of being printed.