Form Validation

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Form Validation

Post by Ree »

I have decided to create my own form validation functions but I need to know which characters (or combinations of them) i should not accept from users. I'm not talking about 'you cannot enter alphabetic characters in age field' validation, this kind of validation is obvious. What I am looking for could be an article (or your own tips) indicating what kind of malicious user input should be denied. Probably only addslashes isn't enough... or is it? I have seen quite a few articles where they advice 'Filter your data!' but for me this doesn't say enough...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I don't deny anything, I just convert it to a usable form the server can deal with and convert it back if the user needs to see it..
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Post by Ree »

Let's take an example. Say, I have a registration form on my site with a field 'Your Name'. How should I check the $_POST['name'] to be sure nothing malicious is executed in my MySQL db? Should all characters be accepted or not (such as %, (, =, ...)? Would be nice if someone could just tell me how they would check the data of the 'Your Name' field. It would help me to get a better idea on what steps should be taken.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

easiest idea would be to use mysql_real_escape_string which will basically escape all the characters

best idea would be to write a regular expression for each field and validate against that but that can be tricky because if you have a last name field then you would think using only letters would work but what if their name was O'Riley or somtin then you have to allow ' in it but then you have to add slashes. but if you think it through enough then you will be able to do it
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Or use prepared statements (adodb can emulate them if your dbms doesn't support them), and don't worry about mysql_real_escape_string...
User avatar
Ashiro
Forum Newbie
Posts: 8
Joined: Wed Jun 22, 2005 5:01 am
Contact:

Post by Ashiro »

There's a number of functions built into PHP that perform these operations anyway. Such as:

mysql_real_escape_string(string)
: Used to escape a string to be safely used in a MySQL queryu.

strip_tags(string): Used to strip potentially risky HTML tags from a string

addslashes(string): The most basic function which merely adds slashes where necessary to a provided string.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Err, I think what Ree's asking about is what exactly should be in a Name field. For example, it's very unlikely that a person has a "%" or a "\" in their name.

Hmm, probably [a-zA-Z ] and maybe extra characters '-' and '.' and '&' and "'".
User avatar
Ashiro
Forum Newbie
Posts: 8
Joined: Wed Jun 22, 2005 5:01 am
Contact:

Post by Ashiro »

In which case he could use the built in ctype functions:
ctype_alnum -- Check for alphanumeric character(s)
ctype_alpha -- Check for alphabetic character(s)
ctype_cntrl -- Check for control character(s)
ctype_digit -- Check for numeric character(s)
ctype_graph -- Check for any printable character(s) except space
ctype_lower -- Check for lowercase character(s)
ctype_print -- Check for printable character(s)
ctype_punct -- Check for any printable character which is not whitespace or an alphanumeric character
ctype_space -- Check for whitespace character(s)
ctype_upper -- Check for uppercase character(s)
ctype_xdigit -- Check for character(s) representing a hexadecimal digit
Taken from: http://uk.php.net/ctype

The function in bold is of particular value.
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

Post by The Monkey »

Wow, I had no idea about the ctype functions! Many thanks.
Post Reply