CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviContribute (Moderator: Donald Lobo) »
  • Client is concerned about Contribution form validation
Pages: [1]

Author Topic: Client is concerned about Contribution form validation  (Read 1152 times)

jmkaep

  • I post occasionally
  • **
  • Posts: 41
  • Karma: 1
Client is concerned about Contribution form validation
December 04, 2010, 11:54:30 am
Client is concerned that there is no strict validation on the form and that it may be vulnerable to hacking through script and SQL injection.

Can anyone shed light on how this is prevented from happening in the form.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Client is concerned about Contribution form validation
December 04, 2010, 03:03:33 pm
Hi,

What is the code your client is concerned about? Could you suggest them to come in this forum and discuss it with us?

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

jmkaep

  • I post occasionally
  • **
  • Posts: 41
  • Karma: 1
Re: Client is concerned about Contribution form validation
December 05, 2010, 07:08:57 am
Client says "Username - was able to input a username with 180 characters i.e there is no validation" ie elimination of characters that may be used in execution of script or MYSQL injection.

The question I need to answer to client is:

What is in place to prevent sql injection or execution of a script from the contribution form?

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Client is concerned about Contribution form validation
December 05, 2010, 10:31:55 am
If it's the username, that's joomla. Suggest your client to go on their website and ask

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

jmkaep

  • I post occasionally
  • **
  • Posts: 41
  • Karma: 1
Re: Client is concerned about Contribution form validation
December 05, 2010, 11:07:11 am

I was just using username as an example - all the custom fields in the Contribution form don't seem to have validation beyond checking that the field is filled in. How does the form deal with characters that may allow a script to be executed fro the form? I believe " and ' are problem characters that may allow SQL injection.

Since this is a CivicRm form it would be save to assume that a script generated by Civicrm is validating all the fields in the form. Am I right?


xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: Client is concerned about Contribution form validation
December 06, 2010, 01:26:12 am
Hi,

Did you do a specific test that lead to an sql injection ? Did you test your assumptions ? Did you test what your client was concerned about ?

As for the code, they are several solutions and tools that are put in place in civicrm to prevent sql injections.

Per se, being able to enter a long string or you mentioning ' or " is not an sql injection, please do some testing and come with something more specific.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

jmkaep

  • I post occasionally
  • **
  • Posts: 41
  • Karma: 1
Re: Client is concerned about Contribution form validation
December 06, 2010, 06:22:01 am
I'm sorry but I don't have the time/programming skills to do this right now.

CiviCRM uses jquery to validate the form. Is there some way of modyfing those.

Right now the form accepts 1 letter names in the custom fields ie for address etc.

Is there something that's not working ie paths to scripts?

« Last Edit: December 06, 2010, 07:27:31 am by jmkaep »
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Using CiviContribute (Moderator: Donald Lobo) »
  • Client is concerned about Contribution form validation

This forum was archived on 2017-11-26.