Form Validation Security - Am I Doing Enough?

[ReindeerF]

Hello sitepointers!

It's the usual form field question, but I'm looking to get specific. I've scoured the search function on here and devshed and there's a lot of good advice but it's scattered about and often written generally instead of in specific code (for obvious reasons). So here is my question:

I am validating user input into form fields in several ways (magic quotes is on on the server I'm using). This questions pertains to form data that will not be passed to an include via the querystring or POST, but simply inserted into the database.

Checking for syntactical problems first - is field empty? is field too long? Where possible, does field consist of only alphanumerics? Where field should be int, cast field as int.

Trimming field - take each field and strip to its maximum possible field length in the database.

Escape field - surrounding field with mysql_escape_string to make sure that various quotes and things get escaped properly for insertion.

At this point, data is inserted into/updated in the database.

What more can I be doing? I forgot to mention that I am only quoting non-numeric fields in the queries. Now it's entirely possible that I have a number of misconceptions, but I'm tired of feeling like I don't do enough and I would genuinely like some feedback from people more knowledgable than me (which seems like it might be just about anyone who can build a total site in PHP ^__^ kekeke)

Thanks for any help you can offer!

[Rebort]

You want to make sure users can't inject SQL commands via GET or POST, or by using your form directly. You probably also want to make sure people can't insert HTML as well.

See:

http://us2.php.net/manual/en/functio...ecialchars.php
http://us2.php.net/manual/en/function.htmlentities.php
http://us2.php.net/manual/en/function.strip-tags.php

[duuudie]

Also, check the expected length of the data.

Here is some code to check the data:

PHP Code:

function checkIncomingData($idata, $minsize, $maxsize) 
{

   if ( 
   
         $idata == '' 
         
   or  
   
         strlen($idata)<$minsize

   or  
   
         strlen($idata)>$maxsize 
      
      ) 
   {
      
      return false;
   
   }
   
   else
   
   {
      
      return true;
   
   }
} 


you can add as many checks as you want. The $idata == '' part and $idata<somelength is somewhat redundant, but I keep it to display different error messages.

here is a function that cleans your data. mysql_real_escape_string is a little more torough than addslashes.

PHP Code:

//make sure that nothing bad can be entered by the user (-->sql injection attack)

function cleanIncomingData($idata) 
{

   $cleaned = trim($idata); 
   $cleaned = mysql_real_escape_string($cleaned);

   return $cleaned;
} 


you would typically use these functions like this:

PHP Code:


if (

      !checkIncomingData($_POST['categoryname'], 1, 100)
   
or

      !checkIncomingData($_POST['pagetitle'], 1, 100)
   
or

      !checkIncomingData($_POST['pagetexttitle'], 1, 100)
   

or

      !checkIncomingData($_POST['pagetext'], 1, 50000)
   

   ) 
   
{

   header('Location:' . $url . 'errormessage.php');
    
}

else

{

   $categoryname  = cleanIncomingData($_POST['categoryname']);
   $pagetitle     = cleanIncomingData($_POST['pagetitle']);
   $pagetexttitle = cleanIncomingData($_POST['pagetexttitle']);
   $pagetext      = cleanIncomingData($_POST['pagetext']);

  //insert in db
} 


Next step will obviously be to check the expected data type etc...