form protection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
roice
Forum Commoner
Posts: 35
Joined: Tue Mar 02, 2010 9:14 am

form protection

Post by roice »

Hello
I create PHP form where my users can post ads.
I know that it can constitute to break-in and that is way we are using: "htmlspecialchars()" and "mysql_real_escape_string()" and "stripslashes()". The problem is that I don't know where to use ach one of them

if the input is "name" (<input type='text' name='name' />), so how should the POST be?
like this:
$name = htmlspecialchars($_POST['name']);
or like this:
$name = mysql_real_escape_string($_POST['name']);
or mabe like this:
$name = Trim(stripslashes($_POST['name']));
?

What about the print to the screen - the stage where I get the data from the SQL:

Code: Select all

$query = mysql_query("SELECT * FROM `sells` ");
$index = mysql_fetch_array($query);
$name= $index['name'];
Should it be :
$name= htmlspecialchars($index['name']);
or like this:
$name = mysql_real_escape_string($_POST['name']);
or mabe like this:
$name = Trim(stripslashes($_POST['name']));

?

Thanks for advance!
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: form protection

Post by social_experiment »

A good practise is to use both options (well, 3 if you count trim()).

Code: Select all

<?php
 // before sending the data to the query
 $name = trim($_POST['name']);
 $new_name = htmlentities($name);
?>
When you add it to the database you use mysql_real_escape_string(). The reason for htmlentities is because it covers more characters than htmlspecialchars() which only caters for the following (sic php manual):
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
When printing to the browser the only issue you might have is additional slashes from data in the database. So when displaying you can use something to the effect of

Code: Select all

<?php
 $value = stripslashes($value_from_db);
?>
A value that has been run through htmlentities() / htmlspecialchars() need not be 're-converted' because the offending values are converted to html-safe characters.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: form protection

Post by twinedev »

My preference is to always work with as much data in its original format (no adding slashes, converting to entities) as possible until it is needed in another format. I'm also a fan of the trim.

If you know for sure that there should be no HTML code in the input, then I recommend the following chunk at the top after you determined they did post something:

Code: Select all

// Unselected Radios/Checkboxes will not be set in $_POST, so set them to be a default of a blank string
foreach(array('optPayment','chkTerms') as $strField) {
    if (!array_key_exists($strField,$_POST)) { $_POST[$strField] = ''; }
}

// Quick Cleanse of the post values
foreach($_POST as $key=>$val) {
    if (is_string($val)) { $_POST[$key] = trim(strip_tags($val)); }
}
// Only need this if there is a possibility of the code being on a server that auto adds slashes to variables
if (get_magic_quotes_gpc()) {
    foreach($_POST as $key=>$val) {
        if (is_string($val)) { $_POST[$key] = stripslashes($val); }
    }
}
Then from here on do your validation (Never just trust ClientSide (javascript) validation)

Now when you go to add to a DB, use the mysql_real_escape_string (or use something like PDO which will auto add these). As for the needing the stripslashes, IMO you should only be storing raw data in the database, (see the last loop in my code to prevent them from getting to the DB).

I like to keep all "logic" before "presentation", so I keep all handling of forms and such above any HTML output, this way, the HTML part which will have just have <?php echo htmlspecialchars($_POST['txtWhatever']); ?> where needed. (I don't just automatically do it to all, as if I need to compare values later. (ie. they didn't fill out the form correctly, so I'm re-showing it with all the data they already entered, so I need to do comparison for setting checkboxes/radios/selects).

-Greg
Post Reply