Webpages - Checking user input

[Hi P]

Where do programmers handle user input errors?

 

Brief example, let's say we have a simple form that asks the users for their age, said age should be between 1 and 125.

Would such thing be handled in the front-end by limiting the user to input digits between 1 and 125 or do we look for such errors in the back-end? or both?

 

Thank you

 

 

[Firewrath9]

I think either would work, you can either have it so that if they try to type 999, then it would only go to 99 and it wouldn't accept any more digits, or the use will just get an error and a message to try again.

[WWicket]

1 hour ago, Hi P said:

Where do programmers handle user input errors?

 

Brief example, let's say we have a simple form that asks the users for their age, said age should be between 1 and 125.

Would such thing be handled in the front-end by limiting the user to input digits between 1 and 125 or do we look for such errors in the back-end? or both?

 

Thank you

 

 

Usually both. Front-end form validation for UX concerns/ back-end validation focused on security concerns. (eg., stop bad inputs before sending for reduced wait time etc, but still need to check inputs on back end for security concerns). 

[mariushm]

On 10/23/2019 at 4:30 AM, Hi P said:

Where do programmers handle user input errors?

 

Brief example, let's say we have a simple form that asks the users for their age, said age should be between 1 and 125.

Would such thing be handled in the front-end by limiting the user to input digits between 1 and 125 or do we look for such errors in the back-end? or both?

 

Thank you

 

 

Both.

Users can disable Javascript or overload/overwrite javascript functions to do other behavior or use tools (Postman, CURL, other) to create their own requests outside a browser, skipping your validation.

Never blindly trust user input.

Especially when dealing with numbers, be aware of handling stuff like user enter 0x5a (90 in hexadecimal) which ParseInt in Javascript would parse as 90 but if you insert into a database the string 0x5a it may not work.

Same for stuff like '1e3' which parseInt would return as 1, but inserting the string "1e3" in a database would fail, or would be read as 1x10³ = 1000 which is above 125...

[wasab]

Font end check is usually for user convenience. Not checking in the backend however can be very nasty. Someone can deliberately insert bad data and cause system havoc's. 

[Hi P]

21 hours ago, mariushm said:

Users can disable Javascript or overload/overwrite javascript functions to do other behavior or use tools (Postman, CURL, other) to create their own requests outside a browser, skipping your validation, never blindly trust user input.

 

15 hours ago, wasab said:

Font end check is usually for user convenience, not checking in the backend however can be very nasty. Someone can deliberately insert bad data and cause system havoc's. 

 

That's honestly really interesting, I'm currently working in a small company (startup) and they only validate through the front-end on their web apps.

My gut has been telling me to do it in both for a long time, but since I don't know any better I haven't talked to them about it.

 

How can I learn to properly handle user input in my back-end? does that fall under security topics?

[wasab]

2 hours ago, Hi P said:

 

 

That's honestly really interesting, I'm currently working in a small company (startup) and they only validate through the front-end on their web apps.

My gut has been telling me to do it in both for a long time, but since I don't know any better I haven't talked to them about it.

 

How can I learn to properly handle user input in my back-end? does that fall under security topics?

Yes. Let's say you are coding a browser game. If the player wins, the front end code sends an update rest request to the server to increment his win streak by one. 

 

If front end does the winner check only, what do you think will stop the player from cheating by like say writting up his own bogus request to keep increamenting his win streak even though he does not win? 

 

The server's database would say he is the top player and you get other players complaining how you don't catch cheaters. 

[WWicket]

3 hours ago, Hi P said:

How can I learn to properly handle user input in my back-end? does that fall under security topics?

Yes, it is one of the major concepts for server security. Just search input validation for 'whatever your backend stack is'. Injection attacks are the primary concern. Eg., The concern isn't really that someone will bypass front-end validation to send 999 as their age, but that they will send some malicious code to try to gain server access or data: Think userAge=

' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/HiP/cmd.php' #

sort-of-thing...