Do I need to secure a form that is not connected to a database

Question

I have read about security issues when it comes to sql injections and so on.

I am not too familiar with security vulnerabilities in input fields.

I currently have a form that takes in inputs (the are validated through regex) for example an email validation would be the following:

if(/^([\w-]+(?:\.[\w-]+)*)@((?:[\w-]+\.)*\w[\w-]{0,66})\.([a-z]{2,6}(?:\.[a-z]{2})?)$/i.test(document.getElementById(idName).value)){
    return true;
}else{
    return false;
}

These values are not connected to the database and are only used in a php script. Are there any security vulnerabilities that I need to be aware of? Or by using regex validations I am safe against vulnerabilities?

Any information is much appreciated,

Thank you, Al

Answer 1

Yes. You should definitely not rely on the client side validation through the javascript regex in case you are interested in having a valid email (at least valid against your regex) on the server side. Imagine somebody changing the client side code to the following (just one option of thousands :)):

if(/^([\w-]+(?:\.[\w-]+)*)@((?:[\w-]+\.)*\w[\w-]{0,66})\.([a-z]{2,6}(?:\.[a-z]{2})?)$/i.test(document.getElementById(idName).value)){
    return true;
}else{
    // CHANGED:
    return true;
}

And to generally answer your question: I think in almost all cases where you use input send by the client in your php code, you need a kind of input filtering/sanitazation but you cannot really generalize this task. That's why there is no generally valid sanitize() function out there since it always depends on how you use the input on the server side.

An approach in your case could be to validate the input again against the same regex via php or to use php's filter_var() in combination with the FILTER_VALIDATE_EMAIL filter

UPDATE

I just found again a very nice article about input validation which helped me a lot: Input validation