SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Jun 2004
    Location
    Bangkok, Thailand
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Form Validation Security - Am I Doing Enough?

    Hello sitepointers!

    It's the usual form field question, but I'm looking to get specific. I've scoured the search function on here and devshed and there's a lot of good advice but it's scattered about and often written generally instead of in specific code (for obvious reasons). So here is my question:

    I am validating user input into form fields in several ways (magic quotes is on on the server I'm using). This questions pertains to form data that will not be passed to an include via the querystring or POST, but simply inserted into the database.

    Checking for syntactical problems first - is field empty? is field too long? Where possible, does field consist of only alphanumerics? Where field should be int, cast field as int.

    Trimming field - take each field and strip to its maximum possible field length in the database.

    Escape field - surrounding field with mysql_escape_string to make sure that various quotes and things get escaped properly for insertion.

    At this point, data is inserted into/updated in the database.

    What more can I be doing? I forgot to mention that I am only quoting non-numeric fields in the queries. Now it's entirely possible that I have a number of misconceptions, but I'm tired of feeling like I don't do enough and I would genuinely like some feedback from people more knowledgable than me (which seems like it might be just about anyone who can build a total site in PHP ^__^ kekeke)

    Thanks for any help you can offer!

  2. #2
    SitePoint Member
    Join Date
    Jan 2005
    Location
    San Francisco
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You want to make sure users can't inject SQL commands via GET or POST, or by using your form directly. You probably also want to make sure people can't insert HTML as well.

    See:

    http://us2.php.net/manual/en/functio...ecialchars.php
    http://us2.php.net/manual/en/function.htmlentities.php
    http://us2.php.net/manual/en/function.strip-tags.php

  3. #3
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also, check the expected length of the data.

    Here is some code to check the data:

    PHP Code:
    function checkIncomingData($idata$minsize$maxsize
    {

       if ( 
       
             
    $idata == '' 
             
       
    or  
       
             
    strlen($idata)<$minsize

       
    or  
       
             
    strlen($idata)>$maxsize 
          
          

       {
          
          return 
    false;
       
       }
       
       else
       
       {
          
          return 
    true;
       
       }

    you can add as many checks as you want. The $idata == '' part and $idata<somelength is somewhat redundant, but I keep it to display different error messages.

    here is a function that cleans your data. mysql_real_escape_string is a little more torough than addslashes.
    PHP Code:
    //make sure that nothing bad can be entered by the user (-->sql injection attack)

    function cleanIncomingData($idata
    {

       
    $cleaned trim($idata); 
       
    $cleaned mysql_real_escape_string($cleaned);

       return 
    $cleaned;

    you would typically use these functions like this:

    PHP Code:

    if (

          !
    checkIncomingData($_POST['categoryname'], 1100)
       
    or

          !
    checkIncomingData($_POST['pagetitle'], 1100)
       
    or

          !
    checkIncomingData($_POST['pagetexttitle'], 1100)
       

    or

          !
    checkIncomingData($_POST['pagetext'], 150000)
       

       ) 
       
    {

       
    header('Location:' $url 'errormessage.php');
        
    }

    else

    {

       
    $categoryname  cleanIncomingData($_POST['categoryname']);
       
    $pagetitle     cleanIncomingData($_POST['pagetitle']);
       
    $pagetexttitle cleanIncomingData($_POST['pagetexttitle']);
       
    $pagetext      cleanIncomingData($_POST['pagetext']);

      
    //insert in db

    Next step will obviously be to check the expected data type etc...



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •