Skip navigation
TenbyWarrior
Currently Being Moderated

Validation against a database?

Feb 5, 2013 4:24 AM

Hi all

 

We have a 'Bully Button' form on our website which basically allows a student to report that they are being bullied. This form then get emailed directly to thir Head of Year to be dealt with. We've been getting students abusing this form so we basically want to setup some validation to make sure the reports from the Bully Button are genuine and not a whole page of profanities!!

 

 

What I've decided to do is get the student who is reporting the bullying to enter his/her date of birth. This will then be checked against their name and if correct, the form will submit.

 

I'm not sure how to implement this. I've created an online SQL Database of the students' Names and Dates of Birth in our Hosting Control Panel and connected to it in Dreamweaver (CS6) but am not sure how to do the validation. I guess it's along the same principals as checking a password against a name?

 

Any help would be greatly appreciated.

 

Thanks in advance.

 
Replies
  • Currently Being Moderated
    Feb 5, 2013 6:34 AM   in reply to TenbyWarrior

    Part of using forms on your site is the potential for abuse. Bear in mind, the harder you make it for someone to use your form for legitimate purposes, the fewer legitimate submissions you'll receive.

     

    This also probably wouldn't reduce the spam submissions by students playing with the system. I can still remember the birthdates of quite a few of my classmates and It's been almost 20 years since high school.

     

    You would likely be better off just setting up an email rule to toss offensive language submissions into a junk folder (this can also be done with php before it reaches your email client, many form scripts have it built in but turned off by default). That way, the students using the system for it's intended purpose would have one less step and those playing with the system would have no affect on your email.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 5, 2013 7:11 AM   in reply to TenbyWarrior

    PHP (or another server scripting language) is 100% required if you want to access a database to verify usernames and passwords from a web page in this manner.

     

    Any other verification method not involving a server side scripting language, javascript for example, would leave the usernames and passwords open to theft by viewing the source code of the page.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 5, 2013 7:27 AM   in reply to TenbyWarrior

    Please don't take offense to this, but ASP is the "or another server scripting language" from my post above in your situation.

     

    EDIT: You also would need to validate both the username and password (child's name and birthdate) together, since you wouldn't want it to work with a random name and birth date.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 5, 2013 8:43 AM   in reply to TenbyWarrior

    All you need to do is query the database for the information. There's a lot of variables in between which make it hard to just give you an answer.  For instance how is the date stored (timestamp vs number; are conversions needed)?

     

    The thing to consider here first is privacy.  If students are supposed to be doing this anonymously I would forego any of this project because anyone can look up someone else's birthday on Facebook to act as someone else.  Which is not secure at all and leaves you open to all kinds of forgery issues.

     

    Are you using a Windows Network throughout the school?  If so, simply by having a student logged into a computer would allow you to track a form submission by the Windows login identity.  I would think this would meet security standards for a school since none of this information should be available to a forward facing server and would need to be queried within a secure school network.  However, if students can go onto a library computer and be able to use it without an individual login, then that would defeat this as well.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 6, 2013 9:48 AM   in reply to TenbyWarrior

    >I know how to write the code required but am not sure

    >where to implement it when the submit button is clicked

     

    You don't need a stored procedure. You simply need to query the database in your ASP/VBScript by passing the Name and birthdate from the form to the script and use that in a SELECT statement WHERE clause. Do you understand how HTML forms work?

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 6, 2013 6:21 PM   in reply to TenbyWarrior

    First of all, I hope that those are not actual database connection details.  You should never post real connection details online, especially for a database that contains personal information about children.

     

    Next, your query is susceptible to SQL injection. You need to read about how to prevent them by validating all data passed in and/or using parameterized queries.

     

    Once you've got that solved, you'll want to use a response redirect to send the users to either a failed page that shows the error, or a success page that processes the email. You can't output anything using response.write prior to a redirect.

     
    |
    Mark as:
  • Currently Being Moderated
    Feb 6, 2013 11:36 PM   in reply to TenbyWarrior

    >However, I'm still in the dark as to why

    >my code still allows the form to be mailed.

     

    Because you have nothing in your code to stop it. Your test for an empty recordset only sends the user back using client side code - but does not stop the server side code from executing. Perhaps you meant to use an 'else' rather than the 'End If' to conditionally process the email, but I would use a response.redirect instead as I already suggested.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points