9 Replies - 1668 Views - Last Post: 30 June 2010 - 09:46 PM Rate Topic: -----

#1 Zel2008  Icon User is offline

  • D.I.C Addict

Reputation: 17
  • View blog
  • Posts: 893
  • Joined: 06-January 09

A good or bad way to check form values?

Posted 30 June 2010 - 07:30 AM

Hi everybody,
I'm writing a form in HTML whose values are pulled in by a PHP script, and I've been finding that ensuring security with PHP is a lot harder than I thought. So, I had the idea of writing the form values to a file with a PHP script, and then using something else to check the form values. Does that sound like overkill? The method I was thinking of using was:

1. When the user clicks the "Submit" button, call the php run script
2. The php script writes a file in /tmp/, without checking input first
3. The php script makes a system call to a Java application that does error checking and builds a command line
4. The Java application calls a backend process
5. The results of the backend process are shown in some new HTML

Is this a bad methodology; is there a simpler way to do this? I was trying to write some decent security to guard against injection attacks and such, but it seemed like there was always another case I had to guard against, and I have tons of little php classes I can't make sense of anymore.

If anyone could give me some advice on this, I'd appreciate it.

Thanks,
Zel2008

Is This A Good Question/Topic? 0
  • +

Replies To: A good or bad way to check form values?

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 4128
  • View blog
  • Posts: 13,020
  • Joined: 08-June 10

Re: A good or bad way to check form values?

Posted 30 June 2010 - 07:36 AM

you can use PHP’s filter functions. database input can be secured by using Prepared Statements. even using a RegEx is possible.
Was This Post Helpful? 0
  • +
  • -

#3 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3699
  • View blog
  • Posts: 13,369
  • Joined: 08-August 08

Re: A good or bad way to check form values?

Posted 30 June 2010 - 07:40 AM

PHP has built-in functions to help with this. As an example, you can use htmlspecialchars to convert everything into html characters that cannot be used for sql injection. You can also use filter_var to validate emails and urls. Then there is is_numeric for numeric data.

You could have one method that chooses the appropriate screening method based on the type of data being sent to it.
Was This Post Helpful? 0
  • +
  • -

#4 Zel2008  Icon User is offline

  • D.I.C Addict

Reputation: 17
  • View blog
  • Posts: 893
  • Joined: 06-January 09

Re: A good or bad way to check form values?

Posted 30 June 2010 - 07:42 AM

Ooh, I've never seen these filter methods before! Thanks, guys, that will save me a lot of headaches!
Thanks,
Zel2008
Was This Post Helpful? 0
  • +
  • -

#5 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 4128
  • View blog
  • Posts: 13,020
  • Joined: 08-June 10

Re: A good or bad way to check form values?

Posted 30 June 2010 - 07:49 AM

View PostCTphpnwb, on 30 June 2010 - 02:40 PM, said:

you can use htmlspecialchars to convert everything into html characters that cannot be used for sql injection.


I doubt that particular statement. there is a reason for *_real_escape_string().
Was This Post Helpful? 1
  • +
  • -

#6 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3699
  • View blog
  • Posts: 13,369
  • Joined: 08-August 08

Re: A good or bad way to check form values?

Posted 30 June 2010 - 08:14 AM

Well, this code:
<?php
$x = "myname ' or 1; DROP mytable";
$y = htmlspecialchars($x,ENT_QUOTES);
echo $x."<br><br>

".$y;
?>

produces this html source:
myname ' or 1; DROP mytable<br><br>

myname &_#039; or 1; DROP mytable

* Remove the underscore - it isn't there in results.
I don't know how the second could successfully inject an sql command. ;)

This post has been edited by CTphpnwb: 30 June 2010 - 08:17 AM
Reason for edit:: Editor shows ' instead of htmlspecialcharacter!

Was This Post Helpful? 0
  • +
  • -

#7 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 4128
  • View blog
  • Posts: 13,020
  • Joined: 08-June 10

Re: A good or bad way to check form values?

Posted 30 June 2010 - 08:16 AM

by using it on an INT field (auto_incremented IDs, user IDs, etc.), which doesn’t require quoteing.

This post has been edited by Dormilich: 30 June 2010 - 08:19 AM

Was This Post Helpful? 0
  • +
  • -

#8 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3699
  • View blog
  • Posts: 13,369
  • Joined: 08-August 08

Re: A good or bad way to check form values?

Posted 30 June 2010 - 08:25 AM

I must be missing something. I don't know how to insert an sql command on an int field. Then again, I would never give a user access to an int field without at least forcing type. Inject this:
$x = (int)$_POST['some_int'];
$query = "SELECT * FROM mytable WHERE userid='".$x."'";


Was This Post Helpful? 0
  • +
  • -

#9 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 4128
  • View blog
  • Posts: 13,020
  • Joined: 08-June 10

Re: A good or bad way to check form values?

Posted 30 June 2010 - 08:29 AM

View PostCTphpnwb, on 30 June 2010 - 03:25 PM, said:

Then again, I would never give a user access to an int field without at least forcing type.


you know that. most of the people don’t even know that there is type casting.

anyway, I’d go the secure way of Prepared Statements, they’re immune.
Was This Post Helpful? 0
  • +
  • -

#10 macosxnerd101  Icon User is offline

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12135
  • View blog
  • Posts: 45,119
  • Joined: 27-December 08

Re: A good or bad way to check form values?

Posted 30 June 2010 - 09:46 PM

View PostZel2008, on 30 June 2010 - 10:30 AM, said:

1. When the user clicks the "Submit" button, call the php run script
2. The php script writes a file in /tmp/, without checking input first
3. The php script makes a system call to a Java application that does error checking and builds a command line
4. The Java application calls a backend process
5. The results of the backend process are shown in some new HTML

Take it from someone who has done a lot of Java and a fair amount of PHP that Java-PHP interactions are really ugly. If you want a Java solution, look at Applets or server-side Java EE technologies like Servlets and Java ServerPages. If you want a PHP solution, then stick to the suggestions above.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1