Member Avatar for developer707

Hello,

After searching over the internet how to secure a web application(forms) in PHP,
in most of the cases were just suggestions not a short and real example.

In some cases is suggested to use strip_tags( trim( $_POST['PARAMETER'] ) );
but when you have some special inputs like comments field
htmlentities ( trim ( $_POST[ ‘comment’ ] ) , ENT_NOQUOTES ); is suggest.

Maybe there is a useful example (custom made function) to achieve standard safe methods without introducing complicated libraries like HTMLPurifier into the application.

Thank you for your time!

  • 4 Contributors
  • 5 Replies
  • 3K Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by developer707
Member Avatar for alan.davies

Depends what you need to do with the data. If you're expecting specfic types then you can 'filter' to either validate or sanitize. You can also cast to specific types, trim etc. Use prepared statements for DB queries.

Assume ALL data from a form is suspect. OWASP has great details on how to protect yourself. One other thing to mention is to use a nonce to help protect your form from being forged.

https://www.owasp.org/index.php/ASVS_V5_Input_validation_and_output_encoding

There are further refs at the bottom of the page. Essential reading.

Edited by alan.davies
Member Avatar for jkon

Don't sanitize , in that way. ALWAYS use PREPARED STATEMENTS (sorry for my caps … but yes I am yelling). A logical confirmation is almost always required (both front-end and back-end). eg. Is this string an integer is it in a valid currency format , is it a valid phone etc . That could be done with a simple String Utils class.

Member Avatar for developer707

Sorry regarding my terminology, maybe it is misleading.

Till now in most of the cases I am dealing with this parameters types:

  1. Integers(Numbers, IDs), that I secure them with
    $id = (int)$_POST['parameter'];

  2. Strings(Article Titles, Names), after some tests this functions fits my needs, but I am not sure if it is really secure!
    $title = strip_html_tags($_POST['parameter']);
    https://csiphp.com/blog/2016/05/02/stop-writing-your-own-strip-tags/

  3. Strings(Comments, Article contents, Profile description).
    In this scenarion I don't know how to secure this kind of information.
    To let the users adding securely some links, ul, li etc(pretty much the tags that allow daniweb editor).
    I have read some cases that the attacker can add malicious codes even on the image like:
    <img SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Could you share a function/class that is mainly used on this cases?

Thank you!

Member Avatar for developer707

@jkon, regarding Databases queries I think that I am using the recommended way, here is an example:

try {
    $query          = 'INSERT INTO
                        requests (
                            `request_id`, `email`, `ip`
                        )
                        VALUES (
                            :request_id, :email, :ip
                        );';
    $stmt           = $dbconnection->prepare($query);
    $stmt->bindParam(':request_id', $request_id, PDO::PARAM_INT);
    $stmt->bindParam(':email', $email, PDO::PARAM_STR);
    $stmt->bindParam(':ip', $ip, PDO::PARAM_STR);
    $stmt->execute();
} catch(PDOException $exception) {
    $_SESSION['ERROR_CODE'] = $exception->getCode();
    $_SESSION['ERROR_MSG']  = $exception->getMessage();
}
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.