Profile Qtns : Multi Select Qtns. : Max No. Permitted

    • 275 posts
    June 25, 2018 6:07 PM EDT

    Would be great if, there was an option for ALL Multi Select Question Types, where 

    SiteAdmin can determine the maximum amount of Choices a User is allowed to select.

     

    Example : Max No. Permitted to Choose : 3

     

    In Edit profile, the user would be limited to the amount of selections he can make 

    example : Maximum 3 Checkboxes can only be ticked


    This post was edited by playmusician at June 25, 2018 6:08 PM EDT
    • Moderator
    • 6923 posts
    June 27, 2018 4:41 AM EDT

    That is a good idea. We'll have to look at this.

  • gs
    • 857 posts
    June 27, 2018 12:17 PM EDT

    Yes, this is a great idea.

     

    I'm formulating another FR for Profile fields in general because I'm regularly hitting a wall when attempting to create profile fields.  I was spoiled years ago with a programming language named Clarion which offered a lot of options and structure when it came to fields.

    • 629 posts
    June 28, 2018 3:23 AM EDT

    I agree. Great idea!

    • 275 posts
    October 7, 2018 6:53 PM EDT

    I would do these things too...

    cause a site can be easily hacked if validation is not taken care of on any form.

     

     

    1) Single-line/ Multiple Line Text Input

    ------------------------------------

    - Max Characters Allowed -by Admin

       Alert and do not allow User to enter his stuff, reset the input box,   when he fails to do so.

    - Determine which Characters are allowed - by Admin

       Alert and do not allow User to enter his stuff, reset the input box,   when he fails to do so

     

    2) Emails / Youtube, Soundcloud Links- Determine Characters & Length   allowed - by Admin

    ---------------------------------------------------------------------------------------------------------

    Example : email has 1 @, no. of  periods etc..

    Alert and do not allow User to enter his stuff, reset the input box,   when he fails to do so.

     

    3) Select & Multi-Select Boxes

    -------------------------------------

    - Limit the Maximum No. of Choices a user can select in Multiple Dropdown Boxes.- by admin

      Alert and do not allow User to choose, reset the dropdown ,   when he fails to do so.





    4) Location Box in Profile Qtn has no relation with Edit Location

    • It does not work with Google API and is just a static input box.

    Validate characters and  length - by admin

    Alert and do not allow User to enter his stuff, reset the input box,   when he fails to do so.


    This post was edited by playmusician at October 7, 2018 7:00 PM EDT
    • 275 posts
    October 7, 2018 7:40 PM EDT

    This would include validation of search boxes like these, including TinyMce forms etc..

    the goal is to make a hack proof, secure robust site for admins and users.

    - with technical documentation provided to admins / businesses, so they know how to protect their sites when they go live and secure payments and subscriptions.


    This post was edited by playmusician at October 7, 2018 8:23 PM EDT
    • Moderator
    • 6923 posts
    October 8, 2018 4:44 AM EDT

    Please remember that a feature request is one item. Please see the stickied post for how to submit feature requests and have each request a separate item.

    • 275 posts
    October 8, 2018 12:19 PM EDT

    I am definitely going to file a Feature request for Form Validation  - though I think this is such a critical thing for security of a site as stated above

    and should be taken up as utmost priority by you guys. 

    I have noted everything above - a site can easily be hacked

    the goal is to make a hack proof, secure robust site for admins and users.

    - with technical documentation provided to admins / businesses, so they know how to protect their sites when they go live and secure payments and subscriptions.

     How can we accept payments from users - when we know that the site is vulnerable?

    I am a little dissatisfied - as I think Form Validation & Profile Field Validation are not being taken seriously enough.

     

    A User can easily hack/break the site by posting scripts  in input boxes without form validation.


    This post was edited by playmusician at October 8, 2018 12:36 PM EDT
    • Moderator
    • 6923 posts
    October 8, 2018 1:21 PM EDT

    No they can't. The parser would take care of that. If you are able to hack your site and post code via the input box, please send us the details in a private ticket as hack issues should be sent that way so as not to cause other sites to get hacked while it's being fixed. 

    • 275 posts
    October 8, 2018 1:39 PM EDT

    yes they can, check my video below.

    Sorry , not trying to be difficult- but I see this as a serious problem and my intention is to help fix it.

    rather than go through that process of testing,

    Wouldnt it easier to just cap the number of characters and disallow certain characters .

    -just like any other form validation nowadays.

     

    Exanple

    A user can just copy 2 pages of text and paste it in the input box

    That right there is not standard practice.

    Thanks


    This post was edited by playmusician at October 8, 2018 2:59 PM EDT
    • 275 posts
    October 8, 2018 2:09 PM EDT

    Without really even trying...

    Heres an example of how vulnerable the site is without standard form validation throughout the site.

    A simple test for form validation on my site.

    ---------------------------------------------

    https://www.youtube.com/watch?v=D3f6jlXt2sY

     

    Its a very serious and critical part of keeping sites secure.

    Without Form Validation throughout the site, a site is an open door ready to be hacked.

    Thanks


    This post was edited by playmusician at October 8, 2018 2:55 PM EDT
    • 275 posts
    October 8, 2018 2:16 PM EDT

    I would suggest server end (PHP) and javascript (front end ) validation to start making the site secure

    Its  a basic minimum requirement.

     

    reference reading

    https://formsmarts.com/form-validation

    Why is Form Validation Needed?

    Form validation is required to prevent web form abuse by malicious users. Improper validation of form data is one of the main causes of security vulnerabilities. It exposes your website to attacks such as header injections, cross-site scripting, and SQL injections.

    • header injection attacks can be used to send email spam from your web server
    • cross-site scripting may allow an attacker to post any data to your site
    • SQL injection may corrupt your database backend

    Form data validation is not trivial, because it depends on the 

     


    This post was edited by playmusician at October 8, 2018 2:16 PM EDT
    • 275 posts
    October 8, 2018 3:03 PM EDT

     Without a need for 50 FRs ..this is one issue - which is Form Validation throughout the site.

    What is needed is ANY form on the site (including profile qtn fields, tiny mce editor, etc..any input or upload forms)

    needs to be validated ( server side -php and client side- javascript)

    Thats the only way we can safely say the site is secure and not open to hackers.

     

    this is standard practice and basic requirements for any site.


    This post was edited by playmusician at October 8, 2018 3:04 PM EDT
    • 275 posts
    October 8, 2018 3:47 PM EDT

    Why  we need both client side and server side validation

    https://www.youtube.com/watch?v=ZPWxEg5qAhw


    This post was edited by playmusician at October 17, 2018 5:50 PM EDT
    • 119 posts
    March 2, 2019 9:12 PM EST

    javascript is not fully supported by all browsers eg .innertext is not supported by Firefox. You use .innertext to check if a value could be empty. Works in IE and Chrome but not in Firefox. and plenty more examples which are not working correct.

    All input from a member goes through a parser here where code is stripped and or converted in plain text without special characters. Plain text can be saved in a DB.

    Have a read here: http://php.net/manual/en/function.mysql-real-escape-string.php