...

View Full Version : Security question about forms



four0four
02-17-2010, 10:24 PM
I've read that all form data needs to be sanitized, validated, filtered, etc.

My question is, does this include the "names" of form elements?

For example:

<input type="text" name="mail" value="">

I have a hunch that it can't be done, but since PHP uses these names to perform certain tasks, I'm not sure if my hunch is correct. Could a user inject code into these names?

Thanks!

MattF
02-17-2010, 11:18 PM
I've read that all form data needs to be sanitized, validated, filtered, etc.

All user supplied *input* needs to be sanitised and validated. Name is an array key. You'll never usually do anything with that other than checking that it's set and that it matches in a statement, and then you use the corresponding *value* if it is, hence it's the value you need to concentrate on.

mlseim
02-17-2010, 11:19 PM
No,
The form (variables) names are OK.
If anyone tries different names, it won't matter, because the PHP script
only looks for the exact variable name that is in the form.

DaiWelsh
02-18-2010, 01:37 PM
Just to extend the point, if a hacker tried to use dodgy field names this would be handled by php itself when it mapped the http submission into the environment your php script runs in. HTML form field names follow some very tight rules, as do php variable names and nothing could come through that could cause you a problem AFAIK (even if you were doing something wierd like dumping keys from $_POST array onto a live site).

You only need to worry about the values of the fields as these are uncontrolled (within reason)

Regards,

Dai

four0four
02-19-2010, 10:29 PM
Thanks everyone for the help! That helps clear up a lot of confusion that I had. :)

So basically the only thing I need to focus on is value data that my script uses.

bdl
02-20-2010, 03:32 AM
One thing I will mention that is marginally related here, and something that popped into my head as I was reading, is that you should take care in your naming conventions. Your form field names should be unique, relevant and not use any token that the browser uses, e.g. "emailInputField" instead of "input", or "formSubBtn" instead of naming the submit button "submit". Due to the fact that these names are actual browser / HTML / DOM element names this can cause problems, especially when using JavaScript to interact with the form data. Whatever naming convention you choose, be consistent.

Something else to consider, don't name your input fields the same as your database fields. If someone is fishing around your site with the intent of using SQL injection to reveal something about your database (or plain out view or destroy data), using the field name "email" is a fairly obvious choice and there's a good chance you simply named your database field "email" as well. Fairly obvious choices to target are "username", "password", etc.

MattF
02-20-2010, 01:29 PM
Something else to consider, don't name your input fields the same as your database fields. If someone is fishing around your site with the intent of using SQL injection to reveal something about your database (or plain out view or destroy data), using the field name "email" is a fairly obvious choice and there's a good chance you simply named your database field "email" as well. Fairly obvious choices to target are "username", "password", etc.

If it's an Open Source solution, they probably already know what the DB fields are called. :D Seriously though, if you class that as a notable consideration, then your input validation and sanitisation are obviously lacking and need attention. That is a prime example of obscurity.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum