$_POST handling and other security
Posted: Fri May 11, 2007 8:16 pm
I've been working on a site for some time now. Kind of a pet project in amongst my other work. I started the site with a sketched in security system and built on from there. After a few revisions and translations into a series of classes (session / database / user) I now have a fairly modular system which serve my purposes quite well.
But now that the site is nearing completion, I've gone back and had a bit of a security audit. I read up all I could find on security and tried to find any holes in my system, and yeah ... I found many.
So there are a few steps I want to implement to try and overcome it's flaws.
* Have all forms use the post method and check all inputs from $_POST
* Insert a random single use value into every form view and compare to session stored value on submit.
* Regenerate session id on every page view
But what is going to require the most adjustment is the handling of collected post data. At the moment, I collect it, do some cursory checks (is there a value here basically) and then hand it off to the database class to be stored. The database class does do a bit of scrubbing for me (stripslashes / htmlentities / mysql_real_escape_string). At the time I thought this was enough, but then what about the unsafe info before it is written. It would be a simple oversight to display a field value before saving it, especially if a form failed validation and the form was redisplayed with the original values re-displayed as part of an error message or the like. Not to mention forms where the info isn't saved such as search boxes or even login boxes (though the database class does clean the query, I already have a "you searhed for: X" dialog sourced from the $_POST value).
So, I have written a class to handle my form validation ( as in making sure the fields contain expected information ) which is kind of cumbersome to set up, but does what I need without making the code too ugly.
I'm just wondering whether this class would be best suited to securing the input as well as validating, and if so, what should be done to the values to make them safe? I'm not expecting any html or markup of any kind, so I dont need to preserve tags. Recommendations?
Also, if I really drill down the form input, what security is required then for database writes? Should I get rid of everything except the mysql_real_escape_string call, or is even that overkill?
Given the above implementations, is there anything I'm overlooking that could do with plugging? (apart from $_GET variables which I'm going to have to have a think about)
Thanks for taking the time to read and for any advice you can offer.
But now that the site is nearing completion, I've gone back and had a bit of a security audit. I read up all I could find on security and tried to find any holes in my system, and yeah ... I found many.
So there are a few steps I want to implement to try and overcome it's flaws.
* Have all forms use the post method and check all inputs from $_POST
* Insert a random single use value into every form view and compare to session stored value on submit.
* Regenerate session id on every page view
But what is going to require the most adjustment is the handling of collected post data. At the moment, I collect it, do some cursory checks (is there a value here basically) and then hand it off to the database class to be stored. The database class does do a bit of scrubbing for me (stripslashes / htmlentities / mysql_real_escape_string). At the time I thought this was enough, but then what about the unsafe info before it is written. It would be a simple oversight to display a field value before saving it, especially if a form failed validation and the form was redisplayed with the original values re-displayed as part of an error message or the like. Not to mention forms where the info isn't saved such as search boxes or even login boxes (though the database class does clean the query, I already have a "you searhed for: X" dialog sourced from the $_POST value).
So, I have written a class to handle my form validation ( as in making sure the fields contain expected information ) which is kind of cumbersome to set up, but does what I need without making the code too ugly.
Code: Select all
// Start form validation
require_once(PATH_CLASS . "class_validform.php");
$vform = &new validform("form_login");
// Configure form validation
// R = Required : M = AlphaNumeric (Mixed Alpha & Numeric) : ># = Longer(text) / Larger(number) than #
$vform->add_element("username", "RA");
$vform->add_element("password", "RA>7");
// Validate
$vform->run_test();Also, if I really drill down the form input, what security is required then for database writes? Should I get rid of everything except the mysql_real_escape_string call, or is even that overkill?
Given the above implementations, is there anything I'm overlooking that could do with plugging? (apart from $_GET variables which I'm going to have to have a think about)
Thanks for taking the time to read and for any advice you can offer.