Input field validation - STOP PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jswany
Forum Newbie
Posts: 2
Joined: Mon Apr 28, 2008 11:52 am

Input field validation - STOP PHP

Post by jswany »

Hi,
I have been making a website in php for a DJ. I have hand coded everything even the CMS. I am now at the stage of making sure that it is all secure..
The website gives the user their own page (like myspace). The only thing i need to know is how to stop any server side coding and css from being entered in comment box's. I would like them to still be able to HTML..
Any Sugestions let me know,,
Thanks for your time in advance.
James
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Input field validation - STOP PHP

Post by Mordred »

jswany wrote:The only thing i need to know is how to stop any server side coding and css from being entered in comment box's.
You need to know other things, but hardly this. What are you doing with the form data that you're afraid that it's going to be executed as PHP (or CSS). Also HTML is a concern, you need a filtering library like HTMLPurifier or you'll face ... defacement.
I am now at the stage of making sure that it is all secure
"Now" is a bit late :) Security should be done from day one, just like with other bugs.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Input field validation - STOP PHP

Post by RobertGonzalez »

If you are databasing the content then you needn't worry about server-side code executing unless you are pushing the content through eval(). I would however worry significantly about client side code.

I agree with mordred. Security should have been built into the core of the app not placed into it as an afterthought. It will be a little harder to go back into the code and crack it open to put all your checks and balances into it.

More importantly, I would suggest you establish, clearly, the rules the posted data must follow then code the validators to those rules. Always always always filter your input and always escape output.
vspin
Forum Commoner
Posts: 33
Joined: Tue Apr 29, 2008 6:31 pm

Re: Input field validation - STOP PHP

Post by vspin »

Here's a list of security tips. Read and understand them all. While the articles (tips) are small, follow up on them by searching the Internet. Especially, cross-site scripting (XSS)!!

http://devzone.zend.com/public/view/con ... ult/page/1
jswany
Forum Newbie
Posts: 2
Joined: Mon Apr 28, 2008 11:52 am

Re: Input field validation - STOP PHP

Post by jswany »

Cheers guys, i have sorted it now. And in future i WILL DEFINITELY worry about security from the start of the project, It seems obvious now, (i so stupid :oops: ).
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: Input field validation - STOP PHP

Post by Maugrim_The_Reaper »

HTMLPurifier - apply to all user input HTML ;)
Post Reply