[nycphp-talk] PHP Form Validation
max
max at neuropunks.org
Fri Sep 2 13:48:13 EDT 2005
This is what I usually use to clean forms I *know* should not contain html/scripting.
The only problem is restrictive regexp which won't let you use say ! as part of a password.
Just thought someone might find it usefull.. Pretty basic code really.
if ($_POST){
$post = input_process($_POST);
echo "<input type=\"text\" name=\"username\" value=\"$post[username]\">";
}
function input_process ($array) {
if (count($array) > 0) {
foreach ($array as $key=>$value) {
trim($key);
trim($value);
validate($key);
validate($value);
$config["$key"] = $value;
}
return $config;
} else {
return $array;
}
}
function validate ($string) {
if ($string != "") {
if (ereg('[^a-zA-Z0-9\@\.\_\/\ \-]', $string)) {
echo "Invalid input $string";
return false;
} else {
return $string;
}
} else {
return $string;
}
}
On Fri, Sep 02, 2005 at 12:50:46PM -0400, Chris Shiflett wrote:
> Billy Reisinger wrote:
> > Correct me if I'm wrong here, folks, but using a $_POST['variable']
> > directly in a form is no more or less vulnerable to attack than
> > using a different variable that is a reference to a $_POST variable.
>
> That's right. In other words, the following is an example of a
> cross-site scripting vulnerability if $username is tainted:
>
> echo "<p>Welcome, $username!</p>";
>
> It's very easy to make a mistake that taints a variable without being
> obvious. For example, sometimes data is massaged several times before
> being used:
>
> $user = $_POST['user'];
>
> /* ... */
>
> $user_array = explode(',', $user);
>
> /* ... */
>
> $name = $user_array[3];
>
> /* ... */
>
> list($first_name, $last_name) = explode(' ', $name);
>
> /* ... */
>
> echo "<p>Welcome, $first_name!</p>";
>
> That's the best example I can think of on the fly. :-)
>
> The point is that it's very easy to make a mistake - we all do it.
> That's the main reason why I try to adhere to practices that can help me
> make fewer mistakes.
>
> I use $_POST sometimes in articles and talks just to make it obvious
> that the data is tainted and to make the example attacks simple and
> straightforward. That's why it's disappointing to see an article with
> such an obvious vulnerability.
>
> > If you want to carry over form values after errors or across
> > multiple form pages (i.e. preserve state), you have to reference
> > these $_POST variables eventually, in some form or fashion. In
> > this sense, ALL forms are vulnerable to hacks.
>
> That's definitely not true. Consider a username form field. This is
> basically what the article in question recommends:
>
> <input type="text"
> name="username"
> value="<?php echo $_POST['username']; ?>" />
>
> Contrast that with this:
>
> <?php
>
> header('Content-Type: text/html; charset=UTF-8');
>
> $clean = array();
> $html = array();
>
> if (isset($_POST['username'] &&
> ctype_alnum($_POST['username']))
> {
> $clean['username'] = $_POST['username'];
> }
> else
> {
> $clean['username'] = '';
> }
>
> $html['username'] = htmlentities($clean['username'],
> ENT_QUOTES,
> 'UTF-8');
>
> ?>
> <input type="text"
> name="username"
> value="<?php echo $html['username']; ?>" />
>
> There's an enormous difference between the two.
>
> Chris
>
> --
> Chris Shiflett
> Brain Bulb, The PHP Consultancy
> http://brainbulb.com/
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
More information about the talk
mailing list