Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Sep 2002
    Posts
    452
    Thanks
    0
    Thanked 20 Times in 20 Posts

    difference between validating / sanitizing...

    Ok so I'm having trouble understanding the coding differences between validating /sanitizing emails vs database entries. Can anyong shed some light on this?

    I have three scripts, written by others, 2 for email validating and sanitizing and 1 for database entry appearently without validation. The 1 email option uses a loop to check all form elements, which I like, but use preg_match for an error filter. While the other uses a single function and trims,addslashes and uses htmlspecialchars.

    The database enty function only uses htmlspecialchars.

    So how do you know whats whats?
    NO Limits!! DHCreationStation.com
    ------------------------------------------------------------
    Broken items wanted for tinkerin'! PostItNow@BrokenEquipment.com
    Global Complaint Dept.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    First you have to separate validation, verification and sanitation logic. Each are entirely different purposes.
    Verification and validation always go hand in hand, but do differ in their purpose. You can kill them both with one stone in a language like PHP.
    Verification ensures you meet a minimum standard. That is, you have given me a string, and I expect a string. Validation ensures that it matches my business rules. A number representing an age can only be between 1 and 120 for example.

    Sanitation ensures that the format of the data in question cannot break the container used to carry it. SQL is easy; prepare it or escape it so that characters such as quotations cannot be manufactured within the data to corrupt the container. Email is a bit more work since you have to take special care of what an actual email can be structured as to prevent damaging additional headers that are sent. This includes restructuring line feeds so as messages will never be \r\n, and that such characters cannot be added to preceding blocks in an email message (rfc-2822 will structure this out; it is easy to read these rfc's when you get the hang of it). Email address is a part of the headers, so you need to be careful that it doesn't allow anything additional appended separated by \r\n. If you are interested in Email sanitation, a simple search on google for 'php email sanitize' would probably turn out a lot of articles - always pay attention to these dates though; anything more than a couple of years old is likely out of date.

  • #3
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,589
    Thanks
    0
    Thanked 644 Times in 634 Posts
    If you look at the section of the PHP manual that lists the validation and sanitization filters and how to use them then the difference between the two becomes obvious.

    Validation is used on user input and tests the content to see if it complies with the validation rules. If it doesn't then you produce an error message and reject the content. You don't accept the content for processing until what is entered matches the validation filter.

    Sanitization filters remove anything from the content so as to force the content to match the filter. You would generally run sanitization on what you retrieve from your database where you would expect all the data to be valid as it already passed validation before being inserted there. You run the sanitization as a precaution in case your database has been corrupted.


    For example
    Email Validation:

    Code:
    if (filter_var($_POST('email'), FILTER_VALIDATE_EMAIL)) {
        $email = $_POST('email');
    } else {
    $errormessage = 'Please supply a valid email address';
    }
    Email sanitization:

    Code:
    $email = filter_var($row['email'], FILTER_SANITIZE_EMAIL);
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #4
    Regular Coder
    Join Date
    Sep 2002
    Posts
    452
    Thanks
    0
    Thanked 20 Times in 20 Posts
    Thank for the help and understanding...

    This is an exploits filter from from the email form that loops:
    content-type|bcc:|cc:|document.cookie|onclick|onload|javascript|alert

    I know 2 & 3 are used for email inputs...but if you include the rest that doesn't allow visitors to ask questions about javascript or send examples, right? So what are the real exploits that should be included?
    NO Limits!! DHCreationStation.com
    ------------------------------------------------------------
    Broken items wanted for tinkerin'! PostItNow@BrokenEquipment.com
    Global Complaint Dept.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    The first three are headers, so you definitely want to either remove them or only allow them into the content body without \r\n separation.
    The remainder are JS properties; if its literal text using something like htmlentities, then you cannot execute the body JS injected. Instead you simply see the text. Using strip_tags would remove them, but not the content, so I guess it depends if you want the <body onload="..."> style to still show, or remove it and the content completely.

  • #6
    Regular Coder
    Join Date
    Sep 2002
    Posts
    452
    Thanks
    0
    Thanked 20 Times in 20 Posts
    Hey guys, just built this to make things easier so if I could get some help to develope it would be great!
    Code:
    <?php 
    /*----------------------------------------------------
    FileName : validate_n_sanitize.php
    Created  : 2012.09.26
    Copyright: 2012 - David H. of www.brokenequipment.com
    Purpose  : Ability to quickly and easily validate and 
    sanitize all forms for email and/or database entry.
    
    Permissions:
    Free to use and/or modify provided original copyright,
    and all developer updates and references remain intact.
    
    Developers: If you choose to help build this script please
    include date of update, what you added/modified and your
    name and/or webaddress. Thanks!
    
    Developer Notes:
    Validation:
    Placing the exploits, profanity and spam checks at the
    top will check all form fields for these elements. 
    If it's not required for some form fields move lower
    in the loop and use field defined filtering.
    Known validation fields that may/not include the use 
    of filters:
    email, website urls, image/file uploads, price, credit
    card inputs
    
    Filters should be pulled from database only when needed.
    
    These can be handled by using specific filters such
    as accepted file or graphics file extensions, known
    email exploits etc. all of which can be maintained
    from a database entry.
    
    We can apply the break's (get it?) each time an 
    error is found during the loop iteration by
    removing the comment markers, but it's annoying
    during testing & developement.
    
    Note: strtolower($key), 'email') !== false
    I tried === true and it didn't validate soooo
    to simplify the coding the 'textExists' function
    was created. This can be added to core functions
    and checks if text string is exists (returns 1:0).
    
    The email can be broken down even more to notify that
    malicious code was detected by placing the 'preg_match'
    in another elseif statement. (not tested)
    
    Sanitation:
    When entry validation is completed next we want to
    go ahead and sanitize it for either 'database entry'
    or 'emails'. This is handled by checking the 'FormName'
    for either 'email' or 'db'. The current sanitation
    coding is from a mail form script I found. So needs to
    be updated.
    ----------------------------------------------------*/
    
    
    
    
    /*----- Core Functions -----*/
    //--- checks for text within a string ---//
    function textExists($v,$t) {
    return (strpos( strtolower($v),$t) !== false )?1:0;
    }
    
    
    
    
    
    
    
    $error_caption = '';
    $error_message = '';
    
    if($_SERVER['REQUEST_METHOD'] == "POST" && isset($_POST['FormName']) ){
    
    //--- Valid Form? ---//
    if( textExists($_POST['FormName'], 'email') || textExists($_POST['FormName'], 'db') ){
    //--- isValid Form ---//
    $error_caption = 'Validation Error!';
    
    
    //--- Get Form Type For Sanitation ---//
    $form_type = (strpos( strtolower($_POST['FormName']), 'email') !== false) ? "email" : "database";
    
    
    /*----- Begin Validation -----*/
    //--- Filters (pull from db) ---//
    $filter_all_exploits = "content-type|bcc:|cc:|document.cookie|onclick|onload|javascript|alert";
    $all_exploits = "/($filter_all_exploits)/i";
    
    
    $filter_profanity = "beastial|bestial|*****|blowjob|clit|****|cum|cunilingus|cunillingus|cunnilingus|****|ejaculate|***|felatio|fellatio|****|fuk|fuks|gangbang|gangbanged|gangbangs|hotsex|jism|jiz|kock|kondum|kum|kunilingus|orgasim|orgasims|orgasm|orgasms|phonesex|phuk|phuq|porn|pussies|pussy|spunk|xxx";
    $profanity = "/($filter_profanity)/i";
    
    
    $filter_spamwords = "viagra|phentermine|tramadol|adipex|advai|alprazolam|ambien|ambian|amoxicillin|antivert|blackjack|backgammon|texas|holdem|poker|carisoprodol|ciara|ciprofloxacin|debt|dating|porn";
    $spamwords = "/($filter_spamwords)/i";
    
    
    //--- Specific Filters --//
    $filter_bots = "Indy|Blaiz|Java|libwww-perl|Python|OutfoxBot|User-Agent|PycURL|AlphaServer";
    $bots = "/($filter_bots)/i";
    
    $filter_email = "content-type|bcc:|cc:";
    $email_exploits = "/($filter_email)/i";
    
    
    
    
    //--- Bots? ---//
        if (preg_match($bots, $_SERVER['HTTP_USER_AGENT'])) {
    $error_message .= "Known spam bot detected"; }
    else{
    
    //--- Begin Loop ---//
    foreach ($_POST as $key => $value) {
            $value = trim($value);
    
    //--- Empty? ---//
    if (empty($value)) { $error_message .= "$key: All fields required!<br />"; 
    break;
    }
    
    //--- Valid Email? --//
    elseif( textExists($key,'email') ){
    if (!ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$",strtolower($value)) || preg_match($email_exploits, $value) ) {
    $error_message .= "$key: Invalid Email<br />"; 
    break; 
    }
    }
    
    //--- Valid WebsiteUrl? ---//
    elseif( textExists($key,'websiteurl') ){
    if (!preg_match("/^(https?:\/\/+[\w\-]+\.[\w\-]+)/i", $value)) {
    $error_message .= "$key: Invalid web address<br />";
    break; 
    }
    }
    
    //--- Valid Image? ---//
    elseif( textExists($key,'img') ){
    // image upload validation
    }
    
    //-- Exploits? --//
    elseif (preg_match($all_exploits, $value)) {
    $error_message .= "$key: Malicious scripting detected.<br />"; 
    break;
    }
    
    //-- Profanity or Spam? --//
    elseif (preg_match($profanity, $value) || preg_match($spamwords, $value)) {
    $error_message .= "$key: Inappropriate language!<br />"; 
    break; 
    }
    
    
    /*----- Begin Sanitizing -----
    if($form_type == "email"){
        $data = stripslashes($value);
        $data = htmlspecialchars($data);
        $_POST[$key] = $data;
    }
    
    if($form_type == "database"){
        $data = stripslashes($value);
        $data = htmlspecialchars($data);
        $_POST[$key] = $data;
    }
    
    ----- End Sanitizing -----*/
    
    }//[ends loop]
    //--- End Loop ---//
    }
    /*----- End Validation -----*/
    
    
    }
    else{ $error_message .= "FormName: Undefined!"; }
    
    
    
    /*----- Begin Processing -----*/
    if(empty($error_message)){
    $error_caption = 'Processing Error!';
    
    
    }
    /*----- End Processing -----*/
    
    
    
    // Display Area For Inline Forms //
    
    
    }
    else{ 
    //--- can send to main website ---//
    }
    ?>
    Ok checks for POST request method and FormName. If accessed dirctly you can send visitor back to main website. This script was developed for our website which uses multiple forms. Plus our forms may be handled differently than others so there's an area at the bottom for inline displays (like ours).

    Checks if FormName is available.
    Checks for FormName to see if either "email" or "db"
    else it kicks an error.

    loops through form elements checking for specific elements such as "email" imputs. Then checks for "email" in the elemnt name. So you can have any number of email inputs (ie: myemail, sendToEmail, Friends_Email) they all get processed the same way.

    The profanity and spam filters are moved to bottom so they oly pertain to item not define like comments, descriptions names etc. This was so someone could have an email like [pornstar at whatever dot com] and it would allow it.

    Created "textExists" to decrease coding. Can be a core function for other things.

    Notice the image portion is not handled, was unsure how to work it. Also was going to use $_SERVER['HTTP_REFERER'] but wasn't sure how to validate it or what to compare it too.

    The sanitizing area I was unsure so I just used one from an email script. So would like help from the pros on this and handling filters. The following website suggested the following sanitation methods but I didn't add them...not sure.
    http://www.acunetix.com/websitesecur...security-1.htm
    strip_tags()
    nl2br()
    htmlspecialchars()
    escapeshellarg()

    Anyway more help would be greatly appreciated!
    Last edited by c1lonewolf; 09-27-2012 at 08:13 PM.
    NO Limits!! DHCreationStation.com
    ------------------------------------------------------------
    Broken items wanted for tinkerin'! PostItNow@BrokenEquipment.com
    Global Complaint Dept.

  • #7
    Regular Coder
    Join Date
    Sep 2002
    Posts
    452
    Thanks
    0
    Thanked 20 Times in 20 Posts
    Ok after multiple test I have some questions...
    1. Why does php not identify the fileType input name? It's part of the form.

    2. Since you can't identify it by using the normal method, how can you make sure the file fields are filled in...when required?

    Also, I tried using a text input to check if images were being used... (input type="text" name="UseImages" value="1')
    When using this any reference to the word 'image' automatically broke the loop unless set to 0. Why is that?
    Last edited by c1lonewolf; 10-02-2012 at 06:12 PM.
    NO Limits!! DHCreationStation.com
    ------------------------------------------------------------
    Broken items wanted for tinkerin'! PostItNow@BrokenEquipment.com
    Global Complaint Dept.

  • #8
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,589
    Thanks
    0
    Thanked 644 Times in 634 Posts
    Quote Originally Posted by c1lonewolf View Post
    1. Why does php not identify the fileType input name? It's part of the form.
    When passing files with a form you use a multipart form. The ordinary fields end up in the $_POST array while the files that are passed end up in the $_FILES array.

    Quote Originally Posted by c1lonewolf View Post
    2. Since you can't identify it by using the normal method, how can you make sure the file fields are filled in...when required?
    you test for files being specified the same way as for other fields but need to check the 'name' field on each file to see if one was specified.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •