homepage Welcome to WebmasterWorld Guest from 54.205.189.156
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
php and forms
securing php forms
copongcopong




msg:1299557
 12:16 am on Aug 6, 2002 (gmt 0)

May I know some php'ers here on how do you make it sure that the forms (texarea, input, etc ...) are secure in a way that you filter out scripts that may cause intrusion to your site? is strip_tags secure enough?

post your script if you like. =)

 

mavherick




msg:1299558
 8:14 pm on Aug 6, 2002 (gmt 0)

The trick here is not to remove all malicious code, but focus on allowing only legit text or whatever you're collecting.

What I usually do is simply define characters that I consider legit entries for example (maybe a comment box or something similar):

"A-Z", "a-z", "0-9", ",."

The next step is to identify ways that those characters can be used against your server. It will also depends if you insert the data in a database, this will add some complexity to the problem but if you're able to keep your legit characters set small, it shouldn't be to hard to cover the basic.

So your code could simply parse the input, keeping only the legit characters, possibly removing patterns you identified that could cause problems.

One little note. Since new exploits are discovered over time, I use only one validation file (that can serve different purposes) in a central location allowing me to update it pretty quickly.

mavherick

Nick_W




msg:1299559
 8:27 pm on Aug 6, 2002 (gmt 0)

Also, make sure the post vars really are post vars... use the $_POST['value'} array...

Nick

toadhall




msg:1299560
 9:36 pm on Aug 6, 2002 (gmt 0)

Lots of useful information on PHP security here [hr.uoregon.edu].

martin




msg:1299561
 12:21 am on Aug 7, 2002 (gmt 0)

$safe_vars = array();
foreach ($_POST as $key => $value) {
$safe_vars[$key] = htmlspecialchars($value);
}

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved