Securing your PHP forms - Discussion!

[sourcez]

I'm looking for people to suggest new ways (or just how they do it) for protecting their forms for different types of inputs.

I'm talking database protection, so stop people from injecting bad code.

Input types:

• Username - I usually just limit the user to numbers and letters, strip anything else with preg_replace
• Password - Just md5?
• Comments Box - What about if I want it to display HTML as plaintext when I pull the values back out of the database? Normally just htmlspecialchars it with ENT_QUOTES.
• Anything else you can think of!

Need some fresh ideas as am looking to go back and review all the forms I've made on different sites over the years, & improve performance, allow extra characters etc.

 

[nasaboy007]

You want to also PHP: mysql_real_escape_string - Manual, make sure they can't do any html like <script> because that leaves you open to XSS.

you may also want to look at the php function filter() for validating specific types of inputs

 

[IsaacTacken]

For securing forms generally (without a connection to a database) you can use a regexp (preg_replace) or htmlentities()

If you are connected to a database you may use something like:
htmlentities(mysql_real_escape_string($VariableName));

just to be sure

 

[Peter]

You want to also PHP: mysql_real_escape_string - Manual, make sure they can't do any html like <script> because that leaves you open to XSS.

you may also want to look at the php function filter() for validating specific types of inputs

100% agreed however just 1 caveat. Ensure that magic_quotes_gpc is disabled before using mysql_real_escape_string otherwise you could be escaping something that has been already escaped which could cause issues.

If magic quotes is enabled be sure to disable it in the php.ini file or the htaccess file. It can be turned off within the script but at that point it is too late as the work that this setting does would have been carried out by that point.

 

[sourcez]

Don't worry I always make sure magic_quotes is off. Pain in the arse!

mysql_real_escape_string is a new addition, don't know why I wasn't using it before. Has let me simplify a load of stuff!

Thanks for the comments guys

 

[Eric]

I've been using something like this (and of course escaping if going into database):

/**
* Strip any unsafe tags/chars/attributes from input values.
*
* @param  string   $value       Value to be cleaned
* @param  boolean  $strip_crlf  Strip \r\n ?
* @param  boolean  $is_email    Pass it through the email filter?
* @return string                Sanitized value.
*/
function sanitize($value, $strip_crlf = true, $is_email = false)
{
	$value = preg_replace('@&(?!(#[0-9]+|[a-z]+);)@si', '', $value);

	if ($is_email)
	{
		/**
		* PHP versions older than 5.2.11 have bugs 
		* in FILTER_SANITIZE_EMAIL
		*/
		if (version_compare(PHP_VERSION, '5.2.11', '>='))
		{
			$value = filter_var($value, FILTER_SANITIZE_EMAIL);
		}
	}
	else
	{
		$value = filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
	}

	// This will strip new line characters if $strip_crlf is set to true.
	if ($strip_crlf)
	{
		$value = preg_replace('@([\r\n])[\s]+@', '', $value);
	}

	return clean($value);
}

/**
* Clean values pulled from the database, although 
* could be used on anything.
*
* Cleans either a string, or can clean an entire 
* array of values:
*	clean($array);
*
* @param  mixed  $value  Value to be cleaned
* @return mixed          Cleaned array or string.
*/
function clean($value)
{
	if (is_array($value))
	{
		foreach ($value AS $key => $val)
		{
			if (is_string($val))
			{
				$value["$key"] = trim(stripslashes($val));
			}
			else if (is_array($val))
			{
				$value["$key"] = clean($value["$key"]);
			}
		}
		return $value;
	}
	return trim(stripslashes($value));
}

So something like

$name = sanitize($_POST['name']);
$email = sanitize($_POST['email'], true, true);

 

[sourcez]

Thanks for that, I'm liking the comments you've put in & the multiuse functions, might include some similar features!