Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts

    Question Form Security Question

    I'm trying to secure my forms by sanitizing all user input.

    However, one thing I'm still confused about is whether non-input elements need to be sanitized as well?

    For example, if I had a hidden form field that writes a random validation key from a session, such as:

    Code:
    <input type="hidden" name="key" value="xxxxxxxxxx">
    OR, if I have a checkbox such as:

    Code:
    <input type="checkbox" name="checkbox1" value="c1">

    Would I need to sanitize these elements since the form is being processed? Would they be vulnerable to any attacks?

    If so, how would I sanitize the input to filter out anything unexpected?

    Thanks!

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    Every external variable that your code receives - $_COOKIE, $_GET, $_POST, and a few of the $_SERVER variables can be set to anything and cannot be trusted.

    A hacker will attempt to set any of them to all kinds of values, strings, HTML encoded values, hex encoded values, url's, raw php code, sql statements, javascript... in an attempt to find a weakness in your script that would allow him to break in or trigger errors to learn more information about your server or your script.

    So, yes, you need to validate and protect every external $_COOKIE, $_GET, and $_POST variable that your code uses to make sure it only contains expected values.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    four0four (09-22-2009)

  • #3
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    I see, that's what I figured.

    I'm using:

    Code:
    if (isset($_POST['checkbox1'])) {
    //execute some code
    }
    and...

    Code:
    if (isset($_SESSION['key']) && $_POST['key'] == $_SESSION['key']) {
    //execute some code
    }

    The question is, how exactly would I sanitize or check these elements? An example would be very helpful.

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    The code you posted is safe, but what about the "//execute some code." What is it doing with the external values that could lead to sql injection, mail header injection, php/javascript code injection...?

    In general, if you expect only a specific type of value (numeric, alphabetic, alpha-numeric, punctuation..), a specific range of values, a specific format (like an email)... you need to check for those specific characteristics. For things like sql injection in string data, you need to escape the data. For things like injected javascrpt and HTML, you need to convert the content to htmlentities when you output it...
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    four0four (09-22-2009)

  • #5
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    I see, so I take it I would need to use something like preg_replace for both of my code examples?

    For both examples, I would only be expecting alpha-numeric values.

    I tried sanitizing:

    Code:
    if (isset($_SESSION['key']) && $_POST['key'] == $_SESSION['key']) {
    //execute some code
    }
    but how do I sanitize the "key" data "before" checking if the session data matches the post data?

    I tried something like:

    Code:
    $strip_array = array("*" => "","!" => "","$" => "","`" => "",",
    " => "","~" => "","|" => "",";" => "","^" => "","(" => "",
    ")" => "","[" => "","]" => "","{" => "","}" => "","<" => "",
    ">" => "","@" => "","'" => "","\"" => "","\\" => "",);
    
    $clean = strtr($_POST['key'], $strip_array);
    
    if (isset($_SESSION[$clean]) && $_POST[$clean] == $_SESSION[$clean]) {
    //execute some code
    }
    but it doesn't work. Any ideas?

  • #6
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    You're doing that the cockeyed way around for starters. Don't blacklist. You will forget something at some point in time. Whitelist. Start from a point where everything is banned and only allow what you need, not vice-versa.

    For example, to strip anything other than alpha-numeric characters:

    Code:
    $post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);
    Last edited by MattF; 09-22-2009 at 01:45 AM.

  • Users who have thanked MattF for this post:

    four0four (09-22-2009)

  • #7
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by MattF View Post
    You're doing that the cockeyed way around for starters. Don't blacklist. You will forget something at some point in time. Whitelist. Start from a point where everything is banned and only allow what you need, not vice-versa.

    For example, to strip anything other than alpha-numeric characters:

    Code:
    $post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);
    Ah ok, that makes more sense.

    Maybe I'm over-complicating things, but how would I check the session key "before" running it through an IF statement?

    I tried this:

    Code:
    $post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);
    
    if (isset($_SESSION[$post_key]) && $_POST[$post_key] == $_SESSION[$post_key]) {
    //execute some code
    }
    but it still doesn't work.

  • #8
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Code:
    $post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);
    
    if (isset($_SESSION['key']) && $post_key != '' && $post_key == $_SESSION['key'])
    {
        [code here]
    }

  • Users who have thanked MattF for this post:

    four0four (09-22-2009)

  • #9
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by MattF View Post
    Code:
    $post_key = preg_replace('#[^\d\w]#i', '', $_POST['key']);
    
    if (isset($_SESSION['key']) && $post_key != '' && $post_key == $_SESSION['key'])
    {
        [code here]
    }
    Thank you! That works great.

    Quick question about the code and how it works...

    What does the $post_key != '' part do?

  • #10
    Senior Coder
    Join Date
    Aug 2009
    Location
    Mansfield, Nottinghamshire, UK
    Posts
    1,547
    Thanks
    57
    Thanked 148 Times in 147 Posts
    same as

    PHP Code:
    !empty($post_key
    ! generally means "not".
    as 'not empty' or 'not equalling ""(nothing)'
    Website Design Mansfield
    PHP Code:
    function I_LOVE(){function b(&$b='P'){$b.='P';}function a($_){return $_++;}$b='P';define("B",'H');b($b=implode('',array($b=a($b),$b=a(B))));b($b);return $b;}
    echo 
    I_LOVE(); 

  • #11
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Phil Jackson View Post
    same as

    PHP Code:
    !empty($post_key
    ! generally means "not".
    as 'not empty' or 'not equalling ""(nothing)'
    I see, so it's saying don't execute the code if "$post_key" is empty?

  • #12
    Senior Coder
    Join Date
    Aug 2009
    Location
    Mansfield, Nottinghamshire, UK
    Posts
    1,547
    Thanks
    57
    Thanked 148 Times in 147 Posts
    PHP Code:
    if (isset($_SESSION['key']) && $post_key != '' && $post_key == $_SESSION['key']) 
    if a session called key is set (whether it is empty or not) and $post_key is not empty and they both equal the same, continue.
    Website Design Mansfield
    PHP Code:
    function I_LOVE(){function b(&$b='P'){$b.='P';}function a($_){return $_++;}$b='P';define("B",'H');b($b=implode('',array($b=a($b),$b=a(B))));b($b);return $b;}
    echo 
    I_LOVE(); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •