Page 1 of 1
Input field validation - STOP PHP
Posted: Mon Apr 28, 2008 12:08 pm
by jswany
Hi,
I have been making a website in php for a DJ. I have hand coded everything even the CMS. I am now at the stage of making sure that it is all secure..
The website gives the user their own page (like myspace). The only thing i need to know is how to stop any server side coding and css from being entered in comment box's. I would like them to still be able to HTML..
Any Sugestions let me know,,
Thanks for your time in advance.
James
Re: Input field validation - STOP PHP
Posted: Mon Apr 28, 2008 11:49 pm
by Mordred
jswany wrote:The only thing i need to know is how to stop any server side coding and css from being entered in comment box's.
You need to know other things, but hardly this. What are you doing with the form data that you're afraid that it's going to be executed as PHP (or CSS). Also HTML
is a concern, you need a filtering library like HTMLPurifier or you'll face ... defacement.
I am now at the stage of making sure that it is all secure
"
Now" is a bit late

Security should be done from day one, just like with other bugs.
Re: Input field validation - STOP PHP
Posted: Tue Apr 29, 2008 12:00 pm
by RobertGonzalez
If you are databasing the content then you needn't worry about server-side code executing unless you are pushing the content through eval(). I would however worry significantly about client side code.
I agree with mordred. Security should have been built into the core of the app not placed into it as an afterthought. It will be a little harder to go back into the code and crack it open to put all your checks and balances into it.
More importantly, I would suggest you establish, clearly, the rules the posted data must follow then code the validators to those rules. Always always always filter your input and always escape output.
Re: Input field validation - STOP PHP
Posted: Wed Apr 30, 2008 3:40 am
by vspin
Here's a list of security tips. Read and understand them all. While the articles (tips) are small, follow up on them by searching the Internet. Especially, cross-site scripting (XSS)!!
http://devzone.zend.com/public/view/con ... ult/page/1
Re: Input field validation - STOP PHP
Posted: Wed Apr 30, 2008 7:02 am
by jswany
Cheers guys, i have sorted it now. And in future i WILL DEFINITELY worry about security from the start of the project, It seems obvious now, (i so stupid

).
Re: Input field validation - STOP PHP
Posted: Wed Apr 30, 2008 8:21 am
by Maugrim_The_Reaper
HTMLPurifier - apply to all user input HTML
