• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JSP form check integrity check

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all!

I have a form.jsp that is located in the /WEB-INF/ section of my project.
My form is generated dynamically and i have been researching for a way or method to check that,
from i generate and send my form to the client, and to the server receives it again, has any questions or answers been changed by the client or in transit?

For example, i send the questions
1. Happy?
2. Neutral
3. Angry

1 = good
3 = bad

If the client either changed the value 1 to 3 or the text of the questions i imagine that the integrity of the form has been broken and the client should be redirected back or to an error page,
and the data of the form should not be saved (SQL).

I was imagining that maybe somehow you could make a serverside checksum of the form when sending and receiving it, if these dont match = discard, else save.

Is there a 'best practice' way of solving such a task?

I have been trying to Google any resources / articles / other on the subject, but have not been able so far to find anything i could use.

Thanks in advance!
Best regards!
 
Marshal
Posts: 28193
95
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It sounds to me like the servlet which receives the request from that form is getting the questions sent to it as well as the answers? That seems, well, not like how forms are usually designed in HTML. I would expect only the answers to be sent. Which would mean that the server already had a copy of the questions, in some form. Or at any rate it would know what the questions were.

I suppose that the client could change the questions and answers, but you're only going to get one answer per question anyway in the response.

But I'm just making assumptions here. Perhaps you could clarify your question? What would be helpful would be an actual example of the generated form and a description of how and where it might be harmfully changed during the process.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This sounds like the kind of thing you'd do if you were dynamically creating quiz pages. But when a user submits a form, the static content of the form (stuff like the quiz questions) is not uploaded to the server (thank goodness! That would be additional overhead). So really, you need to simply track the form control names, because the form submit is going to be in name/value form. Thus, you'd simply pair the returned names with their values and score on that and it doesn't really matter whether anyone changed anything undercover, unless you've got really bad network security and there's a man-in-the-middle trying to confuse things. If the client side wanted to mess with things, it could add or remove control name/values, put invalid data in a value (for example, 65536 characters in a field expected to be less than 10 characters long) and do stuff like that. But that's something that any well-designed form handler should be prepared to deal with, since it doesn't matter whether a web form page was generated from a static template or from dynamic input, the application should always be defending itself against possible abuse.
 
Drenriza Housen
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the feedback @Paul and @Tim!

Paul Clapham wrote:
But I'm just making assumptions here. Perhaps you could clarify your question? What would be helpful would be an actual example of the generated form and a description of how and where it might be harmfully changed during the process.



An example could be, in my HTML i have a <form> element that contains my questions (totally random questions)
Question1: How likely are you to recommend us?
Answer: 1 (never) to 9 (extremely likely)

Question2: (select all that apply) How would you describe yourself?
<input type="checkbox" ...

The first question only has one answer, the second question can have many answers.

Lets for the sake of the argument say i hardcode all questions and answers by hand in my .jsp and send this page to the client.





There is nothing to stop the client from inspecting the <select> element and changing Q1 to Q8 and the values to something like "farting king".
Lets say i by chance have a Q8 question that also is a single answer question, so it would be possible to save the answer.

How would i at the server when i receive the response be able to determine
"I sent this client a Q1 question (or a series of questions Q1, Q2, Q7, Q4 ...) but got back a Q8 question, this is wrong, dont save data"

or
"I sent this client Q1 that i know has answers ... but i received an answer that Q1 does not have, this is wrong, dont save data"

Thanks for all the feedback!
 
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You don't.

You send the client exacly what you are at the moment.
You presumably know what responses to expect, and if you don't get a valid response then return an error.
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
And you aren't going to be getting back questions, only answers. Like I said, the client does not return what you sent to it, only the values of its form controls.
 
Drenriza Housen
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the answers!
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic