PHP Form Validation with no Javascript

Forum Moderators: coopster

Message Too Old, No Replies

PHP Form Validation with no Javascript

apauto

8:09 pm on Mar 7, 2010 (gmt 0)

I need for a user to be able to add content, but I want to make sure they don't have any javascript or anythign else that can harm our system.

The form basically takes the input, and puts it into a database, and then we approve or deny the content.

I don't want it to insert into the db if there is javascript or something else possibly harmful.

I tried to search, but couldn't find much on this...

Any ideas where I could look?

Thanks

rocknbil

8:44 pm on Mar 7, 2010 (gmt 0)

See the various thread on this site about prevention injection; basically, you accept what you want, discard what you don't.

For XSS I like to try to identify attempted script injection first so I can remove the entire block using regexps. You would then remove any carats, encoded or not, disabling any HTML attempts, or, remove anything surrounded by <>. You could just entity them with htmlentities, but this can cause problems if you are allowing HTML markup of any kind.

If your forms need to allow HTML for any reason, you should have an "acceptable list" somewhere, a list of tags you will allow, such as em, strong, p, etc. If the carats are found, compare against this list and if what they entered is not in it, remove it.

This could be used for Javascript as well. If the <script> tag is not in your list, it will remove it.

apauto

9:07 pm on Mar 7, 2010 (gmt 0)

Thanks... Yeah, I want to be able to allow such things as strong, em, p, and a href

Can this be done in PHP rather than javascript?

Readie

9:30 pm on Mar 7, 2010 (gmt 0)

$disallowed = array(
'/<script([^>]+)>([^(<\/script>)]+)<\/script>/mis',
'/<script([^>]+)>/mis',
'/<\/script>/mis'
);

foreach($disallowed as $find) {
$input = preg_replace($find, '', $input);
}

I think I've done that right... That should remove <script>, </script> and anything between them.

apauto

1:34 am on Mar 8, 2010 (gmt 0)

Thanks guys!

if i want to find more info on this ,what do you suggest i search for in google?

Readie

9:35 am on Mar 8, 2010 (gmt 0)

>>apauto
Umm, I'm not really sure what search string you'd use. There should be plenty of examples of form validation in these forums, and [regular-expressions.info...] is good reading for regex.

>>rocknbil
For allowed HTML, would you do something like this?

function html_allow($input) {

$symb = array(
'/&/',
"/[\\\\]{1}'/",
'/[\\\\]{1}"/',
'/</',
'/>/',
"/'/",
'/"/'
);

$repl = array(
'&#38;',
'&#39;',
'&#34;',
'&#60;',
'&#62;',
'&#39;',
'&#34;'
);

$count = count($symb);

for($i = 0; $i < $count; $i++) {
$input = preg_replace($symb[$i], $repl[$i], $input)
}

$find = '/&#60;(a|b|i|u|img|sup|sub|span)([^(&#62;|onclick|ondblclick|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onkeydown|onkeypress|onkeyup)]+)&#62;([^(&#60;\/(1)&#62;)]+)&#60;\/(1)&#62;/mis';

if(preg_match_all($bb_a_a[$i], $input, $out, PREG_PATTERN_ORDER)) {

$sym = array(
'/&#39;/',
'/&#34;/',
'/&#60;/',
'/&#62;/'
);

$rep = array();
"'",
'"',
'<',
'>'
);

ksort($sym);
ksort($rep);

$count = count($out[0])
for($i = 0; $i < $count; $i++) {
$replace = preg_replace($sym, $rep, $out[0][$i]);
$input = str_ireplace($out[0][$i], $replace, $input);
} //for

} //if

return $input;

} //function

(Sorry for the thread high-jacking apauto!)

rocknbil

11:52 pm on Mar 8, 2010 (gmt 0)

I don't have the code handy . . . but I assemble the list (what you have there hard coded) from a database so it can be added to/edited by the admin. Then do something like

$mycontent = check_html($mycontent,$allowedTags);

then in check_html, foreach through the allowed tags array and do a preg match, if found, ok, if not, delete the tag.

Readie

12:39 am on Mar 9, 2010 (gmt 0)

Ahh, yes I can see how that would work.

Thanks :)