Page 1 of 1
form validation security
Posted: Tue Jun 24, 2003 1:47 pm
by m@ndio
Hi,
Can someone tell me how secure this code is?
Plus is this the best way to do what I am trying to do?
dont worry its not much code..
Code: Select all
<?php
if($_POST["Xon"]){
//the user submitted the form start validation
$errors = array();
if(!$_POST["username"]){
$errors[] = "You have not completed the <b>username</b> field";
}
if(!$_POST["password"]){
$errors[] = "You have not completed the <b>password</b> field";
}
//if there were errors show the form and pass the errors back to the function
if(count($errors) > 0){
showtheform($errors);
}
else{
//validation OK enter data into db now
echo "data entered into DB";
}
}
else{
//the user either did not submit the form or the script was called directly
showtheform();
}
?>
<?
function showtheform($errors){
?>
<html>
<head>
<title>Registraion - register.php</title>
</head>
<body>
<?
if(count($errors) > 0){
echo "Please correct the following mistakes:<ul>";
for($i=0;$i < count($errors);$i++){
echo "<li>".$errors[$i];
}
echo "</ul>";
}
?>
<form method="post" action="register.php">
<TABLE>
<TR>
<TD><b>Username: </b></TD>
<TD><input type="text" size="20" name="username" value="<?=$_POST["username"]?>"></TD>
</TR>
<TR>
<TD><b>Password: </b></TD>
<TD><input type="password" size="20" name="password"></TD>
</TR>
<TR>
<TD colspan="2"><input type="submit" name="Xon"></TD>
</TR>
</TABLE>
</form>
</body>
</html>
<?
}
?>
Posted: Tue Jun 24, 2003 1:51 pm
by JPlush76
well it looks like you're only checking to see if someone filled in anything to the form. What if they put a bunch of HTML code in there? What if they put a bunch of numbers in their name field?
What if they put in exec code that can go right into your database? The question should be what exactly you're doing with the form.
Just how secure do you need it to be? You can get pretty crazy on form validation such as..
did the user submit the username field?
is this name field all letters?
does this namefield contain any apostrophes that might corrupty my database table
does this name field contain html code that will mess up my display when I show them their name?
Posted: Tue Jun 24, 2003 2:00 pm
by nielsene
JPlush76 raises all the good points. XSS (Cross site scripting) and SQL Injection are the two main things to watch out for from a security standpoint. Hence you should alsmost always be using addslashes and/or htmlspecialchars at some point. Your PHP settings may be doing the first one for you. But the second is important before displaying any user submitted data that wasn't "cleansed" via a regexp. (Or Un-tainted to use a perl-ism)
A more esoteric thing to keep in mind:
Did the form come from your server, or was the form modified, published remotely, and submitted back to you? You either need to test for this method of attack or non-trust results from checkboxes, radio boxes, and select boxes, etc.
Posted: Tue Jun 24, 2003 2:07 pm
by m@ndio
how the heck to do you check your last statement re: submitted back to you
Posted: Tue Jun 24, 2003 2:12 pm
by nielsene
A simple check is the HTTP_REFERER
Posted: Tue Jun 24, 2003 3:18 pm
by m@ndio
another quick question:
I just added the htmlspecialchars and strip_slashes tags but I am not sure if it's doing it's job right?
here is a link to the page:
http://www.mandio.com/membership/register.php
and here is my code:
Code: Select all
<?php
if($_POST["Xon"]){
//the user submitted the form start validation
$errors = array();
if(!$_POST["username"]){
$errors[] = "You have not completed the <b>username</b> field";
}
if(!$_POST["password"]){
$errors[] = "You have not completed the <b>password</b> field";
}
//if there were errors show the form and pass the errors back to the function
if(count($errors) > 0){
showtheform($errors);
}
else{
$F_username = htmlspecialchars(stripslashes($_POST["username"]));
//validation OK enter data into db now
echo "data entered into DB<p>values after formatting are:<p>username: ".$F_username."<p>password: ".$_POST["password"];
}
}
else{
//the user either did not submit the form or the script was called directly
showtheform();
}
?>
<?
function showtheform($errors){
?>
<html>
<head>
<title>Registraion - register.php</title>
</head>
<body>
<?
if(count($errors) > 0){
echo "Please correct the following mistakes:<ul>";
for($i=0;$i < count($errors);$i++){
echo "<li>".$errors[$i];
}
echo "</ul>";
}
?>
<form method="post" action="register.php">
<TABLE>
<TR>
<TD><b>Username: </b></TD>
<TD><input type="text" size="20" name="username" value="<?=$_POST["username"]?>"></TD>
</TR>
<TR>
<TD><b>Password: </b></TD>
<TD><input type="password" size="20" name="password"></TD>
</TR>
<TR>
<TD colspan="2"><input type="submit" name="Xon"></TD>
</TR>
</TABLE>
</form>
</body>
</html>
<?
}
?>
Posted: Tue Jun 24, 2003 3:21 pm
by m@ndio
how would I check if any crap was entered, if it was then remove it all, is there a function that removes any characters that are not a-z or 0-9?
Posted: Tue Jun 24, 2003 3:29 pm
by nielsene
You generally want to:
addslashes before inserting data to the database (if magic_quotes is off)
stripslashes before display from database or from magic_quotes
htmlspecialchars before redisplaying the form with old data OR displaying data from the database (or stick it into the database with htmlspecialchars)
check out the ereg_reaplce/ preg_replace functions for removing/cleansing user input
Posted: Tue Jun 24, 2003 3:32 pm
by m@ndio
thanks nielsene
Posted: Tue Jun 24, 2003 3:34 pm
by m@ndio
I think I have cracked it this seems to work how feasible is this?
Code: Select all
if(!ereg ("[a-zA-Z]{,}", $_POST["username"])){
$errors[] = "You have entered <b>invalid characters</b>";
}
Posted: Tue Jun 24, 2003 3:41 pm
by nielsene
I'ld rather use '+' or '*' instead of "{,}", but if it works, it works....