filter input and spoofing form submission.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

filter input and spoofing form submission.

Post by jmut »

Ok, some security expert books mention we should validate everything.
No metter if it is select dropdown menu, radio buttons or whatever (thing you might thing are validated).

This is true ofcourse because usually you could spoof the form submission with your own form.


But usually these things are coming from DB.
How do you dynamically validate these select menues for example.

After submit do I get the data to generate the select menu initially and check against the value coming from post?
Anybody of you actually doing this one?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Yes.

In dropdowns where I select the data to fill it, I also select the data after submission, and check to make sure its a value I expected.

In plaintext, I always run it through htmlentities();

As a general rule, make sure that form input is what you expect.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I have a tendency to use post backs quite a bit, so on a page where I am dynamically generating a select menu, I usually read the result into an array and use the array to create the drop down. I create the array at the top part of the script so when the page is posted back, the array has already been created and is available for checking against.

Code: Select all

<?php
// create the array

if (form was posted)
{
  //process the data and check against the array
}

//create the form using the array
?>
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

and what about data coming from a database?
Do you treat it as being tainted before you use it - validate it?

Or you believe the data as you know it was validated at first place (when it goes to DB)

I guess it all depends on the scenario and who gots access to this database but for critical app the big book advise not to trust.
Most stuff you might as well constraint on DB side but still..

Any of you did this?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Sorry, I should have been more clear. What I meant was that I create an array from the database. I use that one single array for two things: 1) Developing the form elements (this ensures that the form contains what you want it to) and 2) for validating $_POST data against (when the form is submitted I run it against the array to see if it is in the array). One array, one DB query, two purposes, two results.

I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

Everah wrote:Sorry, I should have been more clear. What I meant was that I create an array from the database. I use that one single array for two things: 1) Developing the form elements (this ensures that the form contains what you want it to) and 2) for validating $_POST data against (when the form is submitted I run it against the array to see if it is in the array). One array, one DB query, two purposes, two results.

I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
This is exactly how I understood it.
The thing is do you trust your DB?
Maybe some other script or something could harm the db...hence problem when creating/validating form elements using the db.
Well...ultimately you have to rely on something sooner or later I guess :)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If you take the approach of validating all input (correctly, and accounting for magic_quotes), then a second validation of database values has really diminished returns. At this point I'd usually just remember to escape it before it's output to a user.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

jmut wrote:This is exactly how I understood it.
The thing is do you trust your DB?
Maybe some other script or something could harm the db...hence problem when creating/validating form elements using the db.
Well...ultimately you have to rely on something sooner or later I guess :)
Is there a possibility that data could get hijacked/corrupted while in the database? Sure. But like you said, you have to have some amount of data as your starting point. I typically reject user input that should not be allowed, and seriously validate what is passed to my applications. As for passing information that is coming from your database (as in the case of passing a select option id that was generated by the database) I usually check to make sure it is in the array I set initially, make sure it is of the type I am expecting, etc. But there really is no way to make sure what is in the database is what it is supposed to be (not that I can think of anyway).
Post Reply