Form Data > Validation and Cleaning

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Form Data > Validation and Cleaning

Post by kkonline »

I am using the following algorithm/flow/pseudocode for
validation and cleaning of data entered by the users
in the form( consisting of fields like name,
main article(text type in db),
mood for election(should ONLY be 1,2,3... 6).

Question >It seems everywhere i have to use if and else statements,
giving me around 8-10 if else statements in this check.
Please look at the approach and tell me if there is a better solution
or i am missing anything or tell if any check can be performed on a
particular field which is important and i have missed.

Basically i just want you to go through the algorithm and discuss it's weakpoints
and suggest some solution to it.

Initially faultflag=0;

A> Cross-Site Request Forgeries check
A1> Token checking -> if incorrect print "invalid source!" and exit;
A2> Timeout detection -> if timeout print "Timeout!" and exit;
A3> If the source is correct (correct domain) Goto B>


B> Check Captcha (prevents spambots)
B1> If wrong print "wrong captcha" $faultflag++;
B2> If correct, Goto C> (till now data from correct source and not a spambot)


C> C1> If( isset[$_POST['name']])
C2> If yes (some name was posted) THEN validate the maxlength<=30 and check D>
else print "too long" faultflag++;
C3> else print "you forgot to write name" faultflag++;



D> Similar to C, check for title and it's length
If valid goto E>

E> E1> If( isset[$_POST['maintext']])
E2> If yes (some article was posted) THEN validate ; if valid goto F>
E3> else print "you forgot to write article" faultflag++;


Ques 1> In point E2> if the article is posted then how should i validate
it. Because in the db I am using text type to store the value as
the article could be very long? Or should i use some other type
for articles in the db? Or should i use text(varchar(2500)) for example?


F> F1> If( isset[$_POST['mood']])
F2> If yes (some mood was posted) THEN validate it to be no. 1 to 6.
else print "wrong mood" faultflag++;
If valid goto G>
F3> else print "you forgot to write mood" faultflag++;


G> G1> If( faultflag>0) print "there are $faultflag errors, fill
the form again. link to the form;
G2> else (when no errors) connect to db

H> [Assuming the "clean" data is in name,mood,maintext]
mysql_real_escape() the name,mood,maintext
trim the name,mood,maintext

Store to db

For displaying the data after extracting it from db I am
converting it into XML format in use following protection
htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
on the data which is to be printed.

Ques 2> Should i ALSO use the class written by Christian Stocker
for prevention of xss before displaying the data in XML
http://svn.bitflux.ch/repos/public/popo ... linput.php
(and use htmlentities alone?)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

A good pattern to use in your form validation routines is the strategy pattern. See http://www.phppatterns.com/docs/design/strategy_pattern. We've talked about it a couple of times about using this, for example here.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

As I already answered here: viewtopic.php?p=411062#411062 , that code is not safe to use. I won't go into details here, as it is used in production code (albeit on a small scale).

htmlspecialchars() with ENT_QUOTES and the proper encoding should be enough (unless you do something stupid with the output, that is)
Post Reply