Page 1 of 1

Securing a form field

Posted: Sun Aug 10, 2008 4:29 am
by Addos
Hi,
I’m querying a database from a form field containing a user submitted numeric value to see if this number exists. If it dose then let the user know it’s valid and if not then tell same.
My question is what sort of security should I use? I’m somewhat new still to PHP but wanted to build this script myself. So far my form simply uses this field to input the data.

Code: Select all

<input type="text" name="v_number_1" value="<?php if (isset($_POST['v_number_1'])) echo $_POST['v_number_1'];?>" size="32">
And I’m querying the database using this:

Code: Select all

if (isset($_POST['v_number_1'])){
 ($voucher_1 = $_POST['v_number_1']); 
 
mysql_select_db($database_*****, $***);
$query_GetVouchers1 = "SELECT * FROM vouchers WHERE v_number = '$voucher_1'";
$GetVouchers1 = mysql_query($query_GetVouchers1, $***) or die(mysql_error());
$row_GetVouchers1 = mysql_fetch_assoc($GetVouchers1);
$totalRows_GetVouchers1 = mysql_num_rows($GetVouchers1);
}
So to secure this I’m using trim and strip_tags and was wondering what else I should use? I’ve read about Magic Quotes in the manual (difficult for a beginner) and was planning on adding these too however there is a little conflict about PHP 6 discouraging their use. I know that PHP 5 etc will be around for sometime but would welcome views/help on how to add magic quotes to the above.

Any pointers as to what I should use overall to secure this would be great.
Thanks

Re: Securing a form field

Posted: Sun Aug 10, 2008 4:56 am
by Addos
Would this be okay or does it reek of beginner’s code!!

Code: Select all

if (isset($_POST['v_number_1'])){
 ($voucher_1 = mysql_real_escape_string(trim(strip_tags($_POST['v_number_1'])))); 
 
 
mysql_select_db($database_*******, $******);
$query_GetVouchers1 = "SELECT * FROM vouchers WHERE v_number = '$voucher_1'";
$GetVouchers1 = mysql_query($query_GetVouchers1, $******) or die(mysql_error());
$row_GetVouchers1 = mysql_fetch_assoc($GetVouchers1);
$totalRows_GetVouchers1 = mysql_num_rows($GetVouchers1);
}

Re: Securing a form field

Posted: Sun Aug 10, 2008 6:34 am
by Apollo
Since you're using mysql_real_escape_string, it's fine. The trim and strip_tags aren't even necessary here, the escaping prevents any injection, and other crap in the string will have no effect since you're only matching it against the numbers in your DB.

However, because you're using numerical values here, I'd personally prefer using intval instead of mysql_real_escape_string.

Alternatively, you could also do something like $voucher_1 = preg_replace("/[^0-9]+/","",$voucher_1);
This will remove any non-numerical chars, so then (as with intval) it's perfectly safe to use in SQL queries. Both intval and the preg_replace will also trim the string, which improves user-friendlyness (people can now copy-paste a number to your form from somewhere else without worrying if they accidentally copy along some whitespace in front, happens quite a lot).

The advantages of the preg_replace over intval are that it also supports arbitrary long numbers (intval would be limited to your system's integer size) and that it supports "broken" numbers. For example people may enter phone numbers or bank account numbers with spaces, dashes or whatever. The preg_replace just ditches those characters (keeping the remaining digits), while intval will break the number after the first non-digit.

One warning though: put quotes arond the resulting value in the query, even though the content is guaranteed to be numerical. Strings that don't contain digits at all would result in an empty string (when using the preg_replace) which could mess up the query if not quoted.

Re: Securing a form field

Posted: Mon Aug 11, 2008 1:34 am
by Addos
Thank you so much. This was more than I expected and was very imformative. Great help and a lot learned.
thanks again.

Re: Securing a form field

Posted: Mon Aug 11, 2008 5:53 am
by eskio
Here is another way

Code: Select all

$voucher_1 = $_POST['v_number_1'];
if (!is_numeric($voucher_1)){
// tell that is not numeric end exit
exit;
} else {
// is OK
} 
.......
$query_GetVouchers1 = "SELECT * FROM vouchers WHERE v_number = ".mysql_real_escape_string($voucher_1);
.....