Page 1 of 1

Validation and sanitisation of PHP code

Posted: Tue Jul 29, 2008 7:54 pm
by lhcpr
Hello all,

I have been fortunate enough to learn a personal experience with regards to the abuse of an html form because I did not take into consideration sufficient security measure; one of these being input validation!!! A total PHP newbie, I have learnt my lesson and attempted to rectify the problem.

After some research, and although I am aware holy wars have been fought over this topic, I have chosen to do my validation using php FILTER function. For me, this approach is more simplified for my level of php. I understand that there is an injection risk with SANITIZE_EMAIL, and have performed both SANITIZE_EMAIL and VALIDATE_EMAIL functions to prevent this happening.

Before getting started, one question; what versions of PHP support FILTER function?

Ok, the aim of my form is to collect the following information:

1) First name: required
2) Last name: required
3) Email: not required
4) Message: required
5) Check box
6) Captcha code

My ultimate question is whether or not my attempt at validation / sanitisation is correct or if there are any glaringly obvious errors that stick out!

Thanks in advance,

Graham

Here we go:

Code: Select all

<?php session_start();
 
// Setup code
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
 
// Checkbox handling
$field_5_opts = $_POST['field_5'][0];
 
//From email for mail function
$femail = "xyz@gmail.com";
 
// Sanitize AND validate email
if (!empty($_POST['field'_3])) {
    $email = filter_var(filter_var($_POST['field'_3], FILTER_SANITIZE_EMAIL), FILTER_VALIDATE_EMAIL);
}
else {
    $email = "";
}
 
// Sanitize input
$sanitize = array(
    $_POST['field'_1]       => array('filter'=>FILTER_SANITIZE_STRING,
                       'flags' =>
FILTER_FLAG_STRIP_LOW),
    $_POST['field'_2]       => array('filter'=>FILTER_SANITIZE_STRING,
                       'flags' =>
FILTER_FLAG_STRIP_LOW),
    $_POST['field'_4]       => array('filter'=>FILTER_SANITIZE_STRING,
                       'flags' =>
FILTER_FLAG_ENCODE_HIGH|FILTER_FLAG_ENCODE_LOW),
    $email
            );
 
$input = filter_input_array(INPUT_POST, $sanitize);
$name = $input[$_POST['field_1']] . " " . $input[$_POST['field_2']];
 
// Message body
$message = $name . " says xyz!"
"Email address: " . $input[$email]
"This is what " . $input[$_POST['field_1']] . " has to say:" 
$input[$_POST['field_4']];
 
if ( (!empty($input[$_POST['field_1']])) && (!empty($input[$_POST['field_2']])) && (!empty($input[$_POST['field_4']])) ) {
    if ( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) && ($field_5_opts=="Yes") ) { 
    //Mail function if check box is equal to Yes
    mail("vwx@gmail.com,wxy@gmail.com",$name . " says xyz",$message,"From: $femail");
    include("confirm.html");
    }
    //Validation and handling if check box is not equal to Yes
    elseif ( ($_SESSION['security_code']==$_POST['security_code']) && (!empty($_POST['security_code'])) && ($field_5_opts!="Yes") ) {
    // Mail function
    mail("vwx@gmail.com",$name . " says xyz",$message,"From: $femail");
    include("confirm.html");
    }
    else {
    echo "Invalid Captcha String.";
    }
}
else {
echo "Form is incomplete. Please fill in required fields";
}
 
?>

Re: Validation and sanitisation of PHP code

Posted: Tue Jul 29, 2008 10:19 pm
by Twayne
I just got through that exercise: Technically, version 5.x includes the filters you mention. However due to bugs they often result in fatal errors; search for
php filter_validate_email and you'll find several hits on the subject.
As I understand it, version 5.2.3 is the first rev with the fixes installed. I run 5.2.5 on my local Apache server and I know it functions well there. Unfortunately however my ISP is running 5.2.2 so ... good plan poor execution due to insufficient upfront checking.
Also, as I understand it, the current filter technically isn't RFC compliant yet but I have no experience/knowledge of the actual details; I've only seen it mentioned in articles. I'm sure it's good for 99% of the situations though.

I'm just a newbie myself, but as for your code, I think I'd be sorely tempted to use the if(isset ... function.

And this one is purely personal opinion: In my case I have vision impaired visitors and they have a hard time with captcha codes. Heck, 20-20 folks have trouble with most of them!
Instead I have opted to change my captcha images to things like creating a random number, clearly readable, for the user to fill in, along with some also random, simple questions, such as how many digits are in the access code, what's your area code, what size shoe do you wear, things like that, that only a human can read & answer. Then, later in the process, I re-ask two of those questions (again randomly) and using sessions compare those entries to the original ones to be sure they are exactly the same. Just for good measure, I left in an invisible to the user captcha code image just to give bots something to work on; it's never used and the window is sized so it looks onscreen like an HR 50%rule line. When you think about it, there are lots of things you can do, including making emails plain text, watching for any banging on any page, counting page views, etc. etc. etc..

HTH

Re: Validation and sanitisation of PHP code

Posted: Wed Jul 30, 2008 6:18 pm
by lhcpr
Thanks for the feedback Twayne,

My server is running PHP version 5.25.

I can appreciate your requirements for your site impaired visitors; I used to have much to do with the blind school in Indianapolis.

But at this point, given my PHP experience and usage requirements, I think I may not be as thoughtful as yourself. I know that sounds mean.

Have looked at issues with Filter function and have attempted to resolve these in my code. Latest version on my server has the fixes too.

With regards to the correctness of the code + questions posed, any feedback / comments ect... I would prefer to use the Filter functions at this point - pragmatism and ease of use. Equivalent regex suggestions are all well and good / welcome, but I am not very familiar with these and I would have to be walked through the whole thing.

Cheers and thanks in advance,

Graham