0

Hello,

After searching over the internet how to secure a web application(forms) in PHP,
in most of the cases were just suggestions not a short and real example.

In some cases is suggested to use strip_tags( trim( $_POST['PARAMETER'] ) );
but when you have some special inputs like comments field
htmlentities ( trim ( $_POST[ ‘comment’ ] ) , ENT_NOQUOTES ); is suggest.

Maybe there is a useful example (custom made function) to achieve standard safe methods without introducing complicated libraries like HTMLPurifier into the application.

Thank you for your time!

4
Contributors
5
Replies
43
Views
2 Weeks
Discussion Span
Last Post by developer707
1

Depends what you need to do with the data. If you're expecting specfic types then you can 'filter' to either validate or sanitize. You can also cast to specific types, trim etc. Use prepared statements for DB queries.

Assume ALL data from a form is suspect. OWASP has great details on how to protect yourself. One other thing to mention is to use a nonce to help protect your form from being forged.

https://www.owasp.org/index.php/ASVS_V5_Input_validation_and_output_encoding

There are further refs at the bottom of the page. Essential reading.

Edited by alan.davies

1

Don't sanitize , in that way. ALWAYS use PREPARED STATEMENTS (sorry for my caps … but yes I am yelling). A logical confirmation is almost always required (both front-end and back-end). eg. Is this string an integer is it in a valid currency format , is it a valid phone etc . That could be done with a simple String Utils class.

0

Sorry regarding my terminology, maybe it is misleading.

Till now in most of the cases I am dealing with this parameters types:

  1. Integers(Numbers, IDs), that I secure them with
    $id = (int)$_POST['parameter'];

  2. Strings(Article Titles, Names), after some tests this functions fits my needs, but I am not sure if it is really secure!
    $title = strip_html_tags($_POST['parameter']);
    https://csiphp.com/blog/2016/05/02/stop-writing-your-own-strip-tags/

  3. Strings(Comments, Article contents, Profile description).
    In this scenarion I don't know how to secure this kind of information.
    To let the users adding securely some links, ul, li etc(pretty much the tags that allow daniweb editor).
    I have read some cases that the attacker can add malicious codes even on the image like:
    <img SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Could you share a function/class that is mainly used on this cases?

Thank you!

0

@jkon, regarding Databases queries I think that I am using the recommended way, here is an example:

try {
    $query          = 'INSERT INTO
                        requests (
                            `request_id`, `email`, `ip`
                        )
                        VALUES (
                            :request_id, :email, :ip
                        );';
    $stmt           = $dbconnection->prepare($query);
    $stmt->bindParam(':request_id', $request_id, PDO::PARAM_INT);
    $stmt->bindParam(':email', $email, PDO::PARAM_STR);
    $stmt->bindParam(':ip', $ip, PDO::PARAM_STR);
    $stmt->execute();
} catch(PDOException $exception) {
    $_SESSION['ERROR_CODE'] = $exception->getCode();
    $_SESSION['ERROR_MSG']  = $exception->getMessage();
}
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.