Home      Products & Services      Contact Us      Links

WebHatchers will design & develop your site for you.

Website Menu Heaven: menus, buttons, etc.

Send us your questions.

site search by freefind

SEO, Google, Privacy
   and Anonymity
Browser Insanity
Popups and Tooltips
Free Website Search
HTML Form Creator
Buttons and Menus
Image Uploading
Website Poll
IM and Texting
   or Not MySQL
Personal Status Boards
Content Management
Article Content
   Management Systems
Website Directory
   CMS Systems
Photo Gallery CMS
Forum CMS
Blog CMS
Customer Records
   Management CMS
Address Book CMS
Private Messaging CMS
Chat Room CMS
JavaScript Charts
   and Graphs

Free Personal Status Boards (PSB™)

Free Standard Free PSB

Free PSB Pro Version

Free Social PSB

Free Social PSB Plus (with Email)

Free Business PSB

Free Business PSB Plus (with Email)

PSB demo

Social PSB demo

Business PSB demo

So what's all this PSB stuff about?

Chart comparing business status boards

PSB hosting diagram

PSB Licence Agreement

Copyright © 2002 -
MCS Investments, Inc. sitemap

PSBs, social networking, social evolution, microcommunities, personal status boards
PSBs, social networking, business personal status boards
website design, ecommerce solutions
website menus, buttons, image rotators
Ez-Architect, home design software
the magic carpet and the cement wall, children's adventure book
the squirrel valley railroad, model railroad videos, model train dvds
the deep rock railroad, model railroad videos, model train dvds

Security Levels from JavaScript and PHP Input Filtering

Also see:

Security is a funny thing. There are dire predictions and massive paranoia about data from users, preventing MySQL injection attacks, stopping hackers in their tracks so they don't crash your site, wreck your databases, corrupt your data, hijack your site—and the list goes on. We've had a lot of sites for 8 years, and they have plenty of forms, and we had one incident where some creeps were using one of our sites for sending out spam at such a rate the host closed it and we ended up with a new email address and new safer CGI form handler, after which our site reopened. And once some creeps usurped a form of ours to send us nasty emails.

Other than that, we get a bit of spam just like everybody else. We had no special user input filtering during that time—most smaller sites don't. There's not that much to gain from messing with us since we use only the most secure servers with the highest level of security and 128-bit encryption for when we get orders for products at one of our sites, and we have security certificates, a great credit rating, a good rep, and the whole 9 yards. And orders are all dealing with small amounts of money. Like thousands of other ecommerce companies doing business online, we've never had a single security issue regarding money, credit, online safety, credit cards, identities, etc.

So the 2 incidents that happened were merely nuisances—easily fixable. We use an email address scrambler to prevent form spam and spam filters on our email. This has killed the form spam. The spam filters and the use of a few disposable email addresses that allow greylisting has greatly reduced the spam.

So we don't feel like a great emergency exists for most smaller sites regarding input filtering, and it's obvious other sites feel the same way, since not that many bother with filtering form data from users.

That said, however, the threat of hacker attacks is very real, and it will always be a clear and present danger to webmasters, site owners, hosts, ecommerce, etc. If you want to be 100% safe in this world, use a guillotine. From that moment on, you will be 100% safe from anything doing you any further harm. But in the real world, one has to make choices. How much effort should go into security to prevent what may never occur? Big companies, banks, Facebook, MySpace and the like all need great security. The Defense Department and the electrical grid needs even better protection. But you—what do YOU need? Each of us has to decide that for himself, herself, or—in the case of companies—itself.

We'd like to help by laying a few security tactics on you which we hope you will find useful. First off, do JavaScript input validators do any good? (Examples: regular expression general input validator, regular expression username validator, regular expression password validator, regular expression email validator, and regular expression url validator.) Yes and no (PHP validators are much better). If a noobie hacker is just goofing around in one of your forms, it will stop the bad characters because an onSubmit sends the data to a validator prior to submission. But it only works if JavaScript is turned on in a hacker's browser. So a smart hacker leaves it off. Oops! There goes the input filtering! Oh well, who ever said life was fair? So hackers are getting easy pickings at your site due to its reliance on JavaScript-based security measures, easy to overcome. Is that your problem, Bunky? Here, then, are suggestions and these countermeasures are not to be seen as infallible, but as progressively useful. We go from simplest (least secure, but still helpful) to most complex (most secure):

The difference between JavaScript and PHP validation is quite small, but you should do JavaScript form validation if for no other reason than to take the load off the server and distribute it to the client browser (but supplement it with PHP validation whenever you're getting hacker attacks, feeling paranoid, or just like to program). Check it out:


var ck_email = /^[A-Za-z0-9-_]+(\.[A-Za-z0-9-_]+)*@([A-Za-z0-9-_]+\.)?([A-Za-z0-9-_]+(\.[A-Za-z]{2,6})(\.[A-Za-z]{2})?)$/;
if (document.form.email.value.search(ck_email)==-1) {alert("That email address is not valid.");return false}


$email = htmlspecialchars($_POST['email'], ENT_QUOTES); if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) {die("That email address is not valid.");}

The above function uses $ before variable names, as all of PHP does. It gets form data POSTed to it, which usually happens. It uses htmlspecialchars() to convert special characters (& < > " and ') to HTML entities, since you may decide to use echo or print statements with the PHP strings gotten from the POST. It uses preg-match(), since that's a popular way to perform a regular expression match in PHP. You may wish to use our more comprehensive regular expression rather than the simple one shown, however.
For preg-match() info.
For htmlspecialchars() info.