...

View Full Version : Form Security Question



four0four
09-22-2009, 12:17 AM
I'm trying to secure my forms by sanitizing all user input.

However, one thing I'm still confused about is whether non-input elements need to be sanitized as well?

For example, if I had a hidden form field that writes a random validation key from a session, such as:



<input type="hidden" name="key" value="xxxxxxxxxx">


OR, if I have a checkbox such as:



<input type="checkbox" name="checkbox1" value="c1">



Would I need to sanitize these elements since the form is being processed? Would they be vulnerable to any attacks?

If so, how would I sanitize the input to filter out anything unexpected?

Thanks!

CFMaBiSmAd
09-22-2009, 12:39 AM
Every external variable that your code receives - $_COOKIE, $_GET, $_POST, and a few of the $_SERVER variables can be set to anything and cannot be trusted.

A hacker will attempt to set any of them to all kinds of values, strings, HTML encoded values, hex encoded values, url's, raw php code, sql statements, javascript... in an attempt to find a weakness in your script that would allow him to break in or trigger errors to learn more information about your server or your script.

So, yes, you need to validate and protect every external $_COOKIE, $_GET, and $_POST variable that your code uses to make sure it only contains expected values.

four0four
09-22-2009, 12:59 AM
I see, that's what I figured.

I'm using:



if (isset($_POST['checkbox1'])) {
//execute some code
}


and...



if (isset($_SESSION['key']) && $_POST['key'] == $_SESSION['key']) {
//execute some code
}



The question is, how exactly would I sanitize or check these elements? An example would be very helpful. :)

CFMaBiSmAd
09-22-2009, 01:22 AM
The code you posted is safe, but what about the "//execute some code." What is it doing with the external values that could lead to sql injection, mail header injection, php/javascript code injection...?

In general, if you expect only a specific type of value (numeric, alphabetic, alpha-numeric, punctuation..), a specific range of values, a specific format (like an email)... you need to check for those specific characteristics. For things like sql injection in string data, you need to escape the data. For things like injected javascrpt and HTML, you need to convert the content to htmlentities when you output it...

four0four
09-22-2009, 01:37 AM
I see, so I take it I would need to use something like preg_replace for both of my code examples?

For both examples, I would only be expecting alpha-numeric values.

I tried sanitizing:



if (isset($_SESSION['key']) && $_POST['key'] == $_SESSION['key']) {
//execute some code
}


but how do I sanitize the "key" data "before" checking if the session data matches the post data?

I tried something like:




$strip_array = array("*" => "","!" => "","$" => "","`" => "",",
" => "","~" => "","|" => "",";" => "","^" => "","(" => "",
")" => "","[" => "","]" => "","{" => "","}" => "","<" => "",
">" => "","@" => "","'" => "","\"" => "","\\" => "",);

$clean = strtr($_POST['key'], $strip_array);

if (isset($_SESSION[$clean]) && $_POST[$clean] == $_SESSION[$clean]) {
//execute some code
}


but it doesn't work. Any ideas?

MattF
09-22-2009, 01:43 AM
You're doing that the cockeyed way around for starters. Don't blacklist. You will forget something at some point in time. Whitelist. Start from a point where everything is banned and only allow what you need, not vice-versa.

For example, to strip anything other than alpha-numeric characters:



$post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);

four0four
09-22-2009, 02:03 AM
You're doing that the cockeyed way around for starters. Don't blacklist. You will forget something at some point in time. Whitelist. Start from a point where everything is banned and only allow what you need, not vice-versa.

For example, to strip anything other than alpha-numeric characters:



$post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);


Ah ok, that makes more sense.

Maybe I'm over-complicating things, but how would I check the session key "before" running it through an IF statement?

I tried this:



$post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);

if (isset($_SESSION[$post_key]) && $_POST[$post_key] == $_SESSION[$post_key]) {
//execute some code
}


but it still doesn't work.

MattF
09-22-2009, 02:07 AM
$post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);

if (isset($_SESSION['key']) && $post_key != '' && $post_key == $_SESSION['key'])
{
[code here]
}

four0four
09-22-2009, 05:55 AM
$post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);

if (isset($_SESSION['key']) && $post_key != '' && $post_key == $_SESSION['key'])
{
[code here]
}


Thank you! That works great.

Quick question about the code and how it works...

What does the $post_key != '' part do?

Phil Jackson
09-22-2009, 07:55 AM
same as


!empty($post_key)
! generally means "not".
as 'not empty' or 'not equalling ""(nothing)'

four0four
09-22-2009, 08:54 AM
same as


!empty($post_key)
! generally means "not".
as 'not empty' or 'not equalling ""(nothing)'

I see, so it's saying don't execute the code if "$post_key" is empty?

Phil Jackson
09-22-2009, 09:16 AM
if (isset($_SESSION['key']) && $post_key != '' && $post_key == $_SESSION['key'])


if a session called key is set (whether it is empty or not) and $post_key is not empty and they both equal the same, continue.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum