Secure Form "Comment" field

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
GeoffR
Forum Newbie
Posts: 8
Joined: Tue Jun 05, 2007 8:43 am

Secure Form "Comment" field

Post by GeoffR »

I venture carefully out into the heavy traffic on this coder's highway, being a novice with PHP.

If I am not too simplistic in my question, is there a SIMPLE rule I can apply to a Comment field in my form to protect my site from the evil warrior? i.e. Perhaps a basic regular expression, or the like, that dissallows specific characters, such as angle brackets, from being injected into a form field?

In my hunt around for a solution, it all seems so long winded.

If there is a simple and clean solution for filtering out the trash, would you mind sharing the secret of how to do it?

Cheers and thanks,
Geoff
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Whatcha trying to filter? A story? A resume? A Novel?

Whatcha trying to save it to? A database? A file? An email?

Clarify can do with questions we have.
GeoffR
Forum Newbie
Posts: 8
Joined: Tue Jun 05, 2007 8:43 am

Just a gene

Post by GeoffR »

I am trying to find a general script that I can use in several places for protecting a "comments" area of a form, whether it be a feedback form, a "tell a friend" form, a sign up form, etc. Most of these have a "comments" block at the end for the user to say anything.

I guess I'm just hoping to find an all-purpose filter for protecting this area. I do already use a reg_exp for validating email addresses, but I hoped there would be something for general text.

Make sense?

Thanks for replying!

Geoff
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

function rcc($string)
{
    $string = str_split($string);
    foreach ($string as $key => $char) if (((ord($char) < 32) || (ord($char) > 126)) && (ord($char) != 10)) unset($string[$key]);
    return implode($string);
}
GeoffR
Forum Newbie
Posts: 8
Joined: Tue Jun 05, 2007 8:43 am

Thanks.. but?

Post by GeoffR »

Hey thanks a lot for that... I ran it and get this error:

Fatal error: Call to undefined function: str_split() in /home/ghdyys/public_html/tell_a_friend.php on line 101

Make sense?
Geoff
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Yeah it is a PHP 5 function. I can write you a PHP 4 version tomorrow. Basically all the rcc function does is remove anything that isn't standard ASCII text, with the exception of line feeds. Once you have done that, you would need to then escape it for insertion into a database, or use htmlentities for use in a browser, unless you want the html to render..
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Here you go, you will probably want to filter out javascript & possibly images, html/css as well.

Code: Select all

function filter($string)
{
    $strlen = strlen($string);
    $strnew = '';
    for ($i = 0; $i < $strlen; $i++) if (((ord($string{$i}) >= 32) && (ord($string{$i}) <= 126)) || (ord($string{$i}) == 10)) $strnew .= $string{$i};
    return $strnew;
}
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

astions, this filter only removes some "non-printable" characters, it doesn't in any way prevent XSS.

GeoffR, there is no generic filter that can help you, you need to carefully apply a correct method of escaping data before using it in any way. This is an extensive topic to cover in a forum post, so you are advised to go read a book on PHP security, Chris Shiflett has a good one I hear.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I know what it removes, I wrote it. Maybe he should look into htmlpurifier for cleaning html, or just strip it out all together.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Different objects have different requirements. An "all around" filter would just be a bad idea. Think of what you allow or what you disallow, and prioritize one.

i.e.
For usernames, you'll only want numbers, letters, and underscores, so you prioritize what's allowed.
For SQL, you don't want unescaped characters, so you prioritize what's disallowed.

Each item deserves it's own filter.
GeoffR
Forum Newbie
Posts: 8
Joined: Tue Jun 05, 2007 8:43 am

Thanks

Post by GeoffR »

Thanks for your help and advice with this, it is much appreciated.

Regards,
Geoff
Post Reply