Hacking Web Forms

When I made the PHP version of Personal Journal public yesterday I knew what was going to happen. The wannabe hackers amongst us are going to see if they can't break it. As you can see, it wasn't hard at all. In its immature state I had added no validation whatsoever. It's good to see people thinking logically like this though.

Unwittingly or not you've given me the chance to laud the abilities of PHP some more. Most of you have taken advantage of the fact that you can add HTML tags to all of the fields. What if I wanted to put an end to this? Well, I could choose to simply remove all tags (with the option of allowing a predefined list) or I could make all HTML appear as plain text.

Both of these functions are standard features of PHP. Yes, out of the box. No extra programming required. This is what I love about PHP. From its beginning it's always been about the web, and nothing else.

Go ahead, try hacking it now. All tags in the body field will be replaced except for bold and italic text and markup in the subject will display as text. I know you can still leave all the fields blank. Come on, give me chance....


  1. ...and not only that but somebody has vandalised my carefully crafted compliment!


    • avatar
    • jono
    • Mon 10 Nov 2003 20:43

    nice one mate...even after numerouse bears i can not think of a witty reply. well done. have a good weekend, take it easy bud. j.

  2. Jake, also be careful of people trying to inject SQL commands into the URL.

    A seemingly simple url that takes a document ID to display, can be turned into almost any sql command...


    It's a pain, but you should always test (and not trust) the parameters you get in from the URL.

    Great work with the articles and the venture into PHP.


    • avatar
    • Jake
    • Mon 13 Oct 2003 04:19

    Good point Carl. Something I was going to leave til the "advanced" part. In the version online I've used the following line of validation, which tests whether the ID parameter can be cast to an integer:


    One future article may be required to cover the whole area of dubious user input....

    • avatar
    • Andrew Tetlaw
    • Tue 14 Oct 2003 22:16

    Don't mistake this as putting me firmly in the Domino or bust camp. I've always thought PHP was cool, and I clearly understand how great it is to have a platform that is purely web focused. But the above is not really a great example of why, since I've done the same in domino by simply doing a:

    '@ReplaceSubstring(commentText ; "<" : ">" ; "& lt;" : "& gt;")'

    No it's not quite as capable as the PHP functions you talk about above but it is a trivial thing to do in Domino.

    • avatar
    • Jake
    • Wed 15 Oct 2003 04:31

    Andrew, you're right, you can kind of achieve most things in one way or another with Domino. It's the fact that they are never quite the full monty that dissapoints me.

    With your example function you aren't always gauranteed the same results. Whether Domino behaves or not depends on the type of field you're working with and whether or not it's in pass-thru HTML. In the case of your post I had to edit it and put a space between "&" and the "lt" so that it didn't just convert them all to brackets anyway!

    How hard would it be to create a function called @ReplaceHTMLChars() and similar? Not very! They could do lots of things to make it easier for us, but they don't!!

    Ok, a better example. Domino has an @MailSend() function and PHP has one called Mail(). Both can send mail to any user from our web apps. Guess which one can do this with complete control over the headers and from/reply-to address formats and can easily be sent in HTML format??

    • avatar
    • Jake
    • Wed 15 Oct 2003 04:47

    Hang on, I'm back. Been thinking about Andrew's statement a little more.

    I didn't want the blog to become a PHP can, Domino can't thing, but you made it that way ;o)

    Try with Domino to recreate the striptags() feature whereby you can specify a list of allowed tags. In this case I supplied the argument '<b><i>' to the function to allow bold and italic.

  3. been doing this on my blog for a long time. code is in java though, not @formulas. might post it sometime... but haven't had time for that sort of thing.


  4. Yeah, Jake, I agree. I started on Notes (4.5) in the context of a web design company. We chose it as a platform when Database Driven websites were new and special. It seemed to do a lot of cool stuff easily at a time when no other product could, because of Domino.

    Of course I'm sure Lotus never saw Notes/Domino in the same context. It seemed to us, with every update, that they were serving a core market of enterprise users; those who used it for email/groupware and so on. We just used it because it was a database that had a built in web front end, text searching & replciation. The groupware side of it we ignored.

    Since then many things have come out: Coldfusion, ASP, PHP, JSP, Zope... too many to remeber! All of which have a web focus.

    Thw ehol time we worked with Notes and watched these other products mature we kept on saying "Why doesn't Lotus see the potential for a targeted web dev platform here?"

    And they never really did. It's remained an easy way to get a web front end to a Notes database and not much else.

    BUT I think we'll see a big change as we move to Lotus Workplace don't you? It seems to be heading past a web dev platform to a multi-target-client dev platform! I'm excited!

  5. I should point out that the company I was talking about (I don't work there anymore) has stopped new dev in Notes a long time ago (accept for legacy clients) and is now soley PHP/MySQL :).

    I think a better example of how cool PHP is is the way you can control things at the HTTP level; streaming binary data for example? Or how you can generate images on the fly... and so on.

    • avatar
    • Bug1
    • Thu 18 Dec 2003 05:15


    echo "What about php?";


Your Comments


About This Page

Written by Jake Howlett on Sat 11 Oct 2003

Share This Page

# ( ) '


The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social

About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content