Page 1 of 1

very dynamic

Posted: Tue Mar 03, 2009 12:45 am
by daregazi
Hi,

for a security reason I experienced, I wish to ask you guys is it possible that before submitting a form's input values (actually happens when the user fills the form in and presses the submit button), every field that she fills in could be passed and stored on the server individually and how? (in a php code)

Thanks for any quick response!

Re: very dynamic

Posted: Tue Mar 03, 2009 2:49 am
by Mark Baker
daregazi wrote:for a security reason I experienced, I wish to ask you guys is it possible that before submitting a form's input values (actually happens when the user fills the form in and presses the submit button), every field that she fills in could be passed and stored on the server individually and how? (in a php code)
It's possible using javascript to trap change of fileds, and then an ajax call to pass that information to the server, but I wouldn't recommend it, and would refuse to visit any page that did it.
It's the same basic principle that keyloggers use.

There is no need for it, security or otherwise, so why do you want to do it?

Re: very dynamic

Posted: Tue Mar 03, 2009 3:09 am
by daregazi
Actually I dont wanna implement it, but I visited a page and I suspect that it might have had such a feature on. I looked at the page source code and there was only a javascript function to validate the form on submission, nothing else I could see of any Ajax code.

Shall I still suspect that you think that my visit to that page and un-complete data entry was harmless??? (I mean Ajax functionality of sending data to server asynchronously was off?? )

Thanks again

Re: very dynamic

Posted: Tue Mar 03, 2009 3:11 am
by josh
You could do something like like including a salt in a hidden field, when the form is submitted javascript reads the salt and hashes the raw password + the salt and replaces the text fields, salts would be kept track of on the server side, essentially you can block out replay attacks in case your login isnt behind SSL ( also SSL has been cracked ).

Re: very dynamic

Posted: Tue Mar 03, 2009 3:16 am
by papa
daregazi wrote:Actually I dont wanna implement it, but I visited a page and I suspect that it might have had such a feature on. I looked at the page source code and there was only a javascript function to validate the form on submission, nothing else I could see of any Ajax code.

Shall I still suspect that you think that my visit to that page and un-complete data entry was harmless??? (I mean Ajax functionality of sending data to server asynchronously was off?? )

Thanks again
They most likely still have server side validation though.

Re: very dynamic

Posted: Tue Mar 03, 2009 7:08 am
by daregazi
Mark Baker,
thanks for your reply! I cannot see any ajax code or extra javascript code inside the page source code. Do you think that it is unlikely to have asynchronous data transfer between what is inserted into the client side form input fields and the server? Or still those ajax code could be hidden from the page source code?
and also you said that you would refuse to visit such pages! How are you going to know that a page (containing a form) you are visiting has got this feature on???

appreciate your reply.