I need to secure a form on my website, to prevent virus attacks. I was told that disallowing special characters in the form would help. I am using Dreaweaver to build my page - does anyone know the code {or process} to reject special characters?

Thank you thank you! :)

Do you have access to any sort of server-side scripting like PHP? Or will you need to use client-side JS to handle cleaning the input?

My site is able to use PHP - is that what you mean?

Certainly is. Where is the user input going? Into a database, an e-mail?

You'll likely want to clean the input at the PHP end of your form, using functions like htmlspecialchars and addslashes.

For example, let's say that my website had

<form action="myscript.php" method="POST">
<input type="text" name="moo" id="moo" />
<input type="submit" value="Submit!" />
</form>
In myscript.php, I would need to clean that information like so

<?php

$moo = $_POST['moo'];
$moobar = htmlspecialchars($moo);
$moobar = addslashes($moobar);

// ... code to connect to db

mysql_query("INSERT INTO table_a (column) VALUES ($moobar)");
?>
We grab 'moo' (the name from our text input above) from the POST superglobal and put it into $moo before cleaning it with each of the functions (renaming it once along the way for clarity and to keep access to the original) before, for example, inserting it into a database.

Using javascript to secure your form is a terrible idea. Javascript is insecure and undependable because it can be turned off. Therefore, you would want to use a server-side language such as php. How I would approach it would be to create a function or class that parses the information using regular expressions. Than based on if the characters are matched they would either be replaced or form wouldn't be allowed to submit. That would be the most dependable and secure method.

My form feeds the information into an email and sends it to me. It does not have a database connected with it. Is it possible to use Spry validation in Dreamweaver to accomplish this? I can tell that you both are very knowledgeable and I am certain that your solutions would work, however, I am not a very experienced programmer - more of a designer. I am not afraid of code, but not super confident either. Do you think Spry would work? Thank you, thank you.

I've actually never used spry, but since you're not working with a database your worries for SQL injection are now pretty much zero. While I normally go with a full class made for cleaning all sorts of data (phpclasses.org is awesome for finding such things), that's overkill for your situation. Basic cleaning should do fine.

Sorry, I hope this is not a redundant question, but how do you do just basic cleaning?

My form feeds the information into an email and sends it to me....I am not a very experienced programmer - more of a designer. I am not afraid of code, but not super confident either.
Have you tried checking your domain's control panel? These days many hosting companies provide you with from mailers (usually some kind of CGI script) that are either pre-installed or that you can install via your control panel with a mouse click or two.

There should also be instructions for configuring it in within the script itself (in the comments), somewhere in your hosting provider's knowledge base, or when you install it from your cpanel it will tell you where to find instructions (perhaps somewhere online).

Configuration is usually pretty simple if you read the instructions thoroughly and follow them carefully.

Digi

P.S. To address your initial concern about special characters, the script provided by hosting companies tend to be fairly secure as hosting companies don't want easily exploited scripts running on their servers.

One other benefit/caveat: If you use your hosting company's script and have trouble with it, their support people will most likely help you. If you download a script from somewhere else or attempt to write your own, and then end up having security problems your hosting company will probably NOT help you and may shut down all or part of your site and/or the script if it is compromised (because in a shared hosting environment a security breach will pose a threat to all the other sites hosted on the same server).

Thanks Digi. I looked into using my provider, and they said this was custom scripting and they do not provide that...but it was a great suggestion. I'm going to try to get the php code to work on my form. Thanks tZ, for the heads up on not using javascript. That was very helpful as well. You guys are the best!! I appreciate you all not giving me heck for my lack of knowledge in this area... :p

use this. It's so far the securist one I've found.


http://www.dagondesign.com/articles/secure-php-form-mailer-script/

Keep it as simple as possible.
See: http://web.mit.edu/wwwdev/cgiemail/user.html

If your hosting provider does not supply it go to: http://www.netwinsite.com/cgimail/index.htm

I have used it for years without any problems.