NYCPHP Meetup

NYPHP.org

[nycphp-talk] Little heads up with HTMLQuickform

Paul Reinheimer preinheimer at gmail.com
Fri Sep 17 15:55:26 EDT 2004 

I've been playing around with HTML Quickform on my site and noticed a
little quirk that may save others some time.

By default (at least with the versions I have been playing with) HTML
Quickform does some stuff to the user entered data before sending it
to you.

Say you create a simple registration form and use this code for the password:
$form->addElement('password', 'txtPass', 'Password');
$form->addRule('txtPass','enter your password.', 'required','' , 'client');
$form->addRule('txtPass','Your password must be at least three
charecters.', 'minlength',3, 'client');

Pretty basic. Display it as you normally would, user enters a password
as follows (no quotes) "a3d<gkas>s2", what your code actually gets is
(again no quotes) "a3ds2", the "<gkas>" has been striped, no error
returned to the user.

My first thought was that this was horrible, since the poor user now
has no idea what their password is, and won't be able to login.
However, this isn't the case. Provided you use HTML_Quickform for all
your login pages, it will perform exactly the same striping and
everything will work.

I still don't think this is an optimal situation however for a couple
of reasons:
1. If HTML_Quickform ever changes the way that this striping works,
users won't be able to log in.
2. If you have any pages that don't use HTML_Quickform, the user can't
log in on them
3. If you have tied togethor any systems (say a login on your page
automatically creates a forum account, or a shell account, or a ...),
those systems probably don't use the same striping rules.
4. Having users not know what their password is just gives me the willies.
5. These restrictions, if known by an attacker, makes passwords easier
to crack as many possible passwords can be skipped, or multiple unique
passwords would match the one on file.

This stripping applies to most (if not all) of the default form types
(text, password, etc), so if their username happens to be "I<Us>they"
it will end up as "Ithey" without prompting an error.

I think the fact that HTML_Quickform takes care of some of the
filtering is awesome, especially for smaller projects, but as
programmers we should be aware of the assumptions the filtering is
making.



paul

More information about the talk mailing list