Does GravityForm do server-side validation?

According to this forum post, Gravity Form indeed does server-side validation. But I am still able to inject the POST request right before the submission to change the value.

I feel that there is a need to do server-side validation to minimise security risk, but there are no available plugins or open source code.

What are you injecting in the $_POST? Is it a security issue, or just that the $_POST can be modified? Do you have an example use-case or concern?

Hi Chris,

Thanks you for your reply. Yes, there is a security risk where malicious code/command can be injected into each field on submission as there is no backend validation done. I am currently using a tool to inject the request.


=cmd|'/C calculator.exe'!A0
Content-Disposition: form-data; name="input_19"

Thank you for the clarification. Can you please submit a support ticket here?

Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.