Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts

    Question Security question about forms

    I've read that all form data needs to be sanitized, validated, filtered, etc.

    My question is, does this include the "names" of form elements?

    For example:

    <input type="text" name="mail" value="">

    I have a hunch that it can't be done, but since PHP uses these names to perform certain tasks, I'm not sure if my hunch is correct. Could a user inject code into these names?

    Thanks!

  • #2
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by four0four View Post
    I've read that all form data needs to be sanitized, validated, filtered, etc.
    All user supplied *input* needs to be sanitised and validated. Name is an array key. You'll never usually do anything with that other than checking that it's set and that it matches in a statement, and then you use the corresponding *value* if it is, hence it's the value you need to concentrate on.

  • Users who have thanked MattF for this post:

    four0four (02-24-2010)

  • #3
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,472
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    No,
    The form (variables) names are OK.
    If anyone tries different names, it won't matter, because the PHP script
    only looks for the exact variable name that is in the form.

  • Users who have thanked mlseim for this post:

    four0four (02-24-2010)

  • #4
    New Coder
    Join Date
    Aug 2003
    Location
    Derby, UK
    Posts
    97
    Thanks
    0
    Thanked 14 Times in 14 Posts
    Just to extend the point, if a hacker tried to use dodgy field names this would be handled by php itself when it mapped the http submission into the environment your php script runs in. HTML form field names follow some very tight rules, as do php variable names and nothing could come through that could cause you a problem AFAIK (even if you were doing something wierd like dumping keys from $_POST array onto a live site).

    You only need to worry about the values of the fields as these are uncontrolled (within reason)

    Regards,

    Dai

  • Users who have thanked DaiWelsh for this post:

    four0four (02-24-2010)

  • #5
    Regular Coder
    Join Date
    Jun 2008
    Posts
    104
    Thanks
    71
    Thanked 0 Times in 0 Posts
    Thanks everyone for the help! That helps clear up a lot of confusion that I had.

    So basically the only thing I need to focus on is value data that my script uses.

  • #6
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    One thing I will mention that is marginally related here, and something that popped into my head as I was reading, is that you should take care in your naming conventions. Your form field names should be unique, relevant and not use any token that the browser uses, e.g. "emailInputField" instead of "input", or "formSubBtn" instead of naming the submit button "submit". Due to the fact that these names are actual browser / HTML / DOM element names this can cause problems, especially when using JavaScript to interact with the form data. Whatever naming convention you choose, be consistent.

    Something else to consider, don't name your input fields the same as your database fields. If someone is fishing around your site with the intent of using SQL injection to reveal something about your database (or plain out view or destroy data), using the field name "email" is a fairly obvious choice and there's a good chance you simply named your database field "email" as well. Fairly obvious choices to target are "username", "password", etc.

  • Users who have thanked bdl for this post:

    four0four (02-24-2010)

  • #7
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by bdl View Post
    Something else to consider, don't name your input fields the same as your database fields. If someone is fishing around your site with the intent of using SQL injection to reveal something about your database (or plain out view or destroy data), using the field name "email" is a fairly obvious choice and there's a good chance you simply named your database field "email" as well. Fairly obvious choices to target are "username", "password", etc.
    If it's an Open Source solution, they probably already know what the DB fields are called. Seriously though, if you class that as a notable consideration, then your input validation and sanitisation are obviously lacking and need attention. That is a prime example of obscurity.

  • Users who have thanked MattF for this post:

    four0four (02-24-2010)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •