TalkPHP - View Single Post

delayedinsanity · 04-20-2008, 05:08 PM

There's a couple things you're going to want to do when you accept a form, and a lot of resources for reading a variety of different ideas on how to get it done. I could post you the methods I use to sanitize and then validate data when it comes in through a form, but honestly when it comes to security I think it's something you really should understand fully what you are accomplishing, otherwise the opportunity for something to slip through is rather huge.

Generally the process takes atleast a couple steps;

1. Sanitize all incoming data. This is where you catch most xss and sql injection type vulnerabilities by cleaning your form data of any corrupt or malicious entries. Check out such functions as trim(), htmlentities(), htmlspecialchars(), strip_tags(), and addslashes(). Also be sure to read up on magic_quotes_gpc when you get to that last one, as some servers mistakenly have this turned on, requiring you to do some extra coding in order to deal with it.

2. Validate incoming data to make sure you're getting the right kind. Again, there's various ways of doing this, such as using ctype functions, preg_match(), filter_input() and filter_var(), or completely writing your own from the ground up (though that usually requires some regular expresssions and preg_match() anyways.)

Once again, never trust javascript. Never. Ever.
-m

04-20-2008, 05:08 PM	#7 (permalink)
delayedinsanity is cute and cuddly Join Date: Mar 2008 Location: Vegas, Baby Posts: 963 Thanks: 31	There's a couple things you're going to want to do when you accept a form, and a lot of resources for reading a variety of different ideas on how to get it done. I could post you the methods I use to sanitize and then validate data when it comes in through a form, but honestly when it comes to security I think it's something you really should understand fully what you are accomplishing, otherwise the opportunity for something to slip through is rather huge. Generally the process takes atleast a couple steps; 1. Sanitize all incoming data. This is where you catch most xss and sql injection type vulnerabilities by cleaning your form data of any corrupt or malicious entries. Check out such functions as trim(), htmlentities(), htmlspecialchars(), strip_tags(), and addslashes(). Also be sure to read up on magic_quotes_gpc when you get to that last one, as some servers mistakenly have this turned on, requiring you to do some extra coding in order to deal with it. 2. Validate incoming data to make sure you're getting the right kind. Again, there's various ways of doing this, such as using ctype functions, preg_match(), filter_input() and filter_var(), or completely writing your own from the ground up (though that usually requires some regular expresssions and preg_match() anyways.) Once again, never trust javascript. Never. Ever. -m