POST validation

I have read a few comments against doing validation using
JavaScript, and when I found a page that seems to do validation using
POST I wondered what would happen if I pasted a long sentence from the
same page in the login box. I got a message of: 'HTTP 500.100 Internal
Server Error'.

Is this a problem of validation with POST, or just of the setup of
their server?

Page where it happened:
<http://customer.dynix.com/users/logon.asp>

Thanks.
Geo

On 06/10/2005 15:45, "GEO" Me (AT) home (DOT) here wrote:

Quote:

I have read a few comments against doing validation using
JavaScript [...]

Care to identify those comments?

There is no problem with employing client-side validation (when done
well). The issue lies with relying on such a scheme. As client-side
scripting can be either disabled or circumvented, omitting server-side
checks could lead to security vulnerabilities, as well as errors thrown
in server-side code if you assume that all erroneous data will have been
rejected. There are also cases where client-side checking is infeasible.

Quote:

[...] I found a page that seems to do validation using POST

One doesn't perform input validation using POST. It's a HTTP transfer
method (along with GET, HEAD, PUT, etc.)

Quote:

I wondered what would happen if I pasted a long sentence from the
same page in the login box. I got a message of: 'HTTP 500.100 Internal
Server Error'.

Is this a problem of validation with POST [...]

No, of course not. Every form you encounter on the Web should be
employing server-side checks, and most of those forms will be sending
their data to that server using the POST method.

[snip]

Mike

--
Michael Winter
Prefix subject with [News] before replying by e-mail.

On Thu, 06 Oct 2005 15:22:46 GMT, Michael Winter
<m.winter (AT) blueyonder (DOT) co.uk> wrote:

Quote:

On 06/10/2005 15:45, "GEO" Me (AT) home (DOT) here wrote:

I have read a few comments against doing validation using
JavaScript [...]

Care to identify those comments?

There is no problem with employing client-side validation (when done
well). The issue lies with relying on such a scheme.....<snip

I guess a more careful wording would have said 'relying' -as you
did, but I am still trying to get used to this terminology.

Quote:

One doesn't perform input validation using POST. It's a HTTP transfer
method (along with GET, HEAD, PUT, etc.)
snip

Quote:

Is this a problem of validation with POST [...]

No, of course not. Every form you encounter on the Web should be
employing server-side checks, and most of those forms will be sending
their data to that server using the POST method.

Thank you.

Geo

"GEO" Me (AT) home (DOT) here wrote:

Quote:

I have read a few comments against doing validation using
JavaScript, and when I found a page that seems to do validation using
POST I wondered what would happen if I pasted a long sentence from the
same page in the login box. I got a message of: 'HTTP 500.100 Internal
Server Error'.

Is this a problem of validation with POST, or just of the setup of
their server?

Page where it happened:
http://customer.dynix.com/users/logon.asp

Thanks.
Geo

Geo,

I agree with everything Mike said. In addition:

The Internal Server Error indicates that the code at the server failed
to adequately check the input from the form. In this case, it allowed a
very long input (the sentence you copied) where only a short one (an ID
or password) was expected. The most likely result is that the long data
was stored into a short field and slopped over the top of adjacent data
that was important. Things went downhill from there.

Every time a programmer makes an assumption, a system dies somewhere.

Chris Beall

On Thu, 06 Oct 2005 18:18:10 GMT, Chris Beall
<Chris_Beall (AT) prodigy (DOT) net> wrote:

Quote:

"GEO" Me (AT) home (DOT) here wrote:
I have read a few comments against doing validation using
JavaScript, and when I found a page that seems to do validation using
POST I wondered what would happen if I pasted a long sentence from the
same page in the login box. I got a message of: 'HTTP 500.100 Internal
Server Error'.
Is this a problem of validation with POST, or just of the setup of
their server?
Page where it happened:
http://customer.dynix.com/users/logon.asp

Quote:

Geo,
I agree with everything Mike said. In addition:
The Internal Server Error indicates that the code at the server failed
to adequately check the input from the form. In this case, it allowed a
very long input (the sentence you copied) where only a short one (an ID
or password) was expected. The most likely result is that the long data
was stored into a short field and slopped over the top of adjacent data
that was important. Things went downhill from there.

Every time a programmer makes an assumption, a system dies somewhere.

Thank you.

Geo