Geek Answers Handbook

Is there a security reason for checking text box input if you limit the maximum input length?

Since I'm new to coding, and I'm trying to figure out why here is a little more detail about the question.

If you have a text box and you restrict the input to say 2 characters, do you really need to confirm the input again?

I have a text box with a maximum length of 2. Is there a security reason for adding script validation to the text box. I have to add this to Asp.net.

+4
source share
8 answers

Yes, you should still check. Setting the MaxLength property sets the MaxLength attribute for the input element; the user can simply delete this value in the HTML source that they receive, or “hack” it using any of the available tools.

Your server still needs to make sure that it has only 2 characters, with server side validation.

+10
source

Are you talking about server side input validation? If so, then you should verify that someone can create an HTTP POST request without going through the browser, in which case their limit should not exceed 2 characters.

However, the security check simply depends on what you are going to do with this input. If you create a database query by sending an email or similar using input, you should always check regardless of the length of the input.

+4
source

Client-side validators (e.g. MaxLength) can never be trusted because the client side of your application is not under your control. If you don't believe me, see what FireBug can do to change the HTML in FireFox.

Indeed, you can’t do much with a 2-character string, which would be a security risk, but if I got this value, I would check some server-side check for the length of the string and make sure that this is what you expect (for example, literally -digit characters).

+1
source

The maxlength attribute can be changed by the user. If they disabled / changed maxlength="2" and decided to place 3 characters, can your code handle it? Truncate it, return the error, but not just assume that they gave you a valid input. Always check.

+1
source

Form data can be sent using other means than the browser, which will take into account the maxlength attribute. A hacker can write a script that takes your form and sends data where the submitted form data does not comply with any client-side validation rules that you declared in html or javascript.

+1
source

The only single reason for any client-side validation (whether from javascript attributes, an HTML form, or XForm restrictions) is to make it more likely for the right user, and not for entering anything that doesn't make sense.

On the server side, you must do this again for the same reasons, but also for security. You don’t know that client-side validation worked, and even you don’t even know that the request comes from the browser (it takes less than a minute to receive the application for the form, and then resend it with different values, and not much longer if you tried stop it, being smart about what the client sees, used nonces, etc.)

The effects of accepting invalid input can be negligible, but given that since you have a client-side check, then if an invalid input is received, it is more likely that someone with a bad intention is probing you (of course, there might just be a mistake in Client side), so even if you cannot predict any negative consequences when making such an input, it’s still worth blocking it.

This is before we look at whether SQL injections, XSS, or other attacks are possible.

+1
source

Always check the input on the server, regardless of whether it has been verified on the client.

For the client side, it is enough to set the maximum length.

You mentioned the asp.net validator, if you use it, add it to the page to get both client and server verification (in this case, you take care of the server verification).

+1
source

Validators launch the client part using javascript, so there is nothing safe in them; they can be easily compromised. They are intended for convenience only, and any user input must be sanitized for server-side security purposes.

0
source

More articles:


All Articles