jimfog

I am implementing string sanitization for a form input....

Is there a point using is_string also...for the same input of course?

 

If this page is being used in response to an AJAX request, then output a JSON string. If it's handling the forum submission on its own then you'll have to output an HTML page. If you want to have the same page to do both, just add a parameter to the query string when you make the request using AJAX so that PHP can know what type of response to give.

 

In your Javascript, add ?ajax=1 to the URL, then PHP can test for that:

if(isset($_GET['ajax'])) {    // Show JSON} else {    // Show HTML}

I must make some clarification first...the request are made by backbone(which uses ajax of course for the requests).

So...in a backbone collection I have assigned an URL property which points to a page in the server...like that:

  var Events = Backbone.Collection.extend({        model: BBEvent,        url: 'events.php',       }); 

I am assuming I am going to add ?ajax=1 above...in the url property...correct?

Ok this is the way PHP understands that the request is made with JS.

How it is going to understand though that the request is NOT made by js....I am confused regarding this.

How am I going to ensure that the request is not made by JS....

You claim that this happens by the identification of the GET ajax parameter....

How am I going to ensure that this is absent from the URL so that this is recognized by PHP an non sent by JS request?

There is something missing here...

since this question has to do with validation I want to make one last important question.

The code of course in this topic relates to server-side.

My question concerns the reply from the server...as I see it...it must be using both json_encode(in case js validation failed) AND print/echo statements in case js is disabled.

Tell me if I am correct with the above?

The question is: How do you know which ones you're testing as numeric and which ones you're testing as a string?

I know that from before...

The app I am building sends a JSON to the server...the keys are fixed each time..the values change of course.

And of course I know which data type every key is.

I have an array with seven members and I want to test some of them if them if they are string and some if they are numeric.

What would be the most efficient way to do this you think...

In the PHP manual a reference is made to a foreach loop,nonetheless this is a good solution only if we are testing for is_numeric only for example.

Since we are dealing here with two tests,what is the way to go you think?

It is an error message returned from the server...as part of validation...I have concluded in this message:

 

Is numeric Error

I do not know what drawbacks arise from a message such as this..if any?

I am using is_numeric to check about some data that go to the server-for validity reason.

Given the fact that this is a security issue....how I should handle the case in case is_numeric outputs FALSE?

Should I just display an error message to the user...what if this user is a hacker and displaying the precise details and displays to him the cause of the error(in that error message) will reveal details why its attack failed?

 

The same procedure as all prepared statements:

1. Prepare

2. Bind

3. Execute

 

I assume you're using MySQLi, you haven't specified. This code works if $connection is a MySQLi object, if it's PDO the syntax is a bit different.

$stmt = $connection->prepare('SELECT serviceID from services_list,appoint_servi_chosen    WHERE services_list.serviceID=appoint_servi_chosen.service_ID    and appoint_servi_chosen.app_ID=?'); for($j=0;$j < count($appdata);++$j) {    $stmt->bindParam('s', $appdata[$j]['apID']);    $result1 = $stmt->execute();}

Unless you need $j for something, you could just use a foreach() loop

foreach($appdata as $d) {$stmt->bindParam('s', $d['apID']);

I had no doubt I was going to use these 3 steps you mention...the only problem I had was accessing the array...but you also answered for it.

I am having trouble implementing a prepared statement within a for loop:

 for($j=0;$j < count($appdata);++$j)        {        $result1 = $connection->query('SELECT serviceID from services_list,appoint_servi_chosen        WHERE services_list.serviceID=appoint_servi_chosen.service_ID        and appoint_servi_chosen.app_ID= "'.$appdata[$j]['apID'].'"');}

As you see above I have to access an array in the statement above...how am I going to implement this with a prepared statement?

 

.... you cannot trust this integer value.

And what do you suggest about it.

What do you mean by that? You can't really detect when someone changes one number to another number. What you should be able to detect is whether any given user is allowed to take whatever action they are trying to take. If all you want to do is make sure that it is actually a number then you can use intval to convert it to an integer. I'm talking about application security, authentication and authorization.That is not relevant. If you are getting the value from $_POST, $_GET, $_COOKIE, etc then it is user-supplied data, those values are sent by the browser. If you're just going to trust that no one will substitute those values for anything they want just because there isn't a field on a form, then your security model is just "trust the user". That's not security. Authentication and authorization is security.Famous last words. Remember, you can either take the time to do it right, or make the time to do it over.You need to think like an attacker. If I wanted to attack a site the very first thing I would do is use my browser's developer tools to figure out what data my browser is sending to the server (regardless of what fields appear on the page). Once I know the set of inputs that the server expects then I'll start to change them and see what happens. It is trivially easy to create a post or get request with any data I choose. Don't think that just because there isn't a field on the page then that's going to stop an attacker. It doesn't matter what is on the page, what matters is the data that the browser actually sends to the server.

All these are helpful but they do not help solving the issue.

Ι just want to prevent a hacker from tampering with ID....

real_escape_string and sanitization I thought it would suffice.

I see that this discussion goes nowhere....my search about validation had as a result to use the above two solutions...

Apart from that I do not know what else can be done.

As I already said the user fills no field in this situation...

 

Going back to your original question... when an appointment is going to be deleted...

 

Do you have multiple users? Do you want to prevent one malicious user from deleting all of the appointments?

This a scenario I had not thought....and certainly we can find numerous others....but my search here is just for some basic security foremost and

when in production I see what else I can do

The solution is authorization. You need to be able to look up in the database to verify that the particular user is authorized to take whatever action they are trying to take. In that case, you need to verify that they are allowed to delete that item. Authorization should be just as much a part of application security as authentication.

Τhat is just a privilege issue....I am talking here about server-side code and what that might be.

[A-Zαάβγδεέζηήθιίϊΐκλμνξοόπρσςτυύϋΰφχψωώ]

Yes it worked...thanks a lot.

I had tried my self some things....but I had not though this one.

and what is the solution....

from a developer's point of view.

apart from the various available sanitize/validate functions...do I need to write some custom code here?

So then why are they giving you an integer? Wouldn't they merely request the next available integer?

I do not understand what are you saying...

First of all the user gives nothing...he does not fill anything

When an appointments is created,enters the db and at that point the ID is created....which identifies uniquely every appointment.

When the appointment is fetched to the client(to be displayed to the user) by the db(its ID is also fetched)-stored in a Backbone model.

The user then might choose to delete the appointment at which point the ID corresponding to that appointment is sent to the database-where code resides for deletion.

So...as you see this ID is not generated by the user.

If the string they give you is supposed to represent a positive integer between 1 and 10000 then simply verify that it parses to a positive integer in that range.

I understand your logic but this string increases appointments increase....and there is no limit to it as you can understand.

It increments by one every time a new appointment is booked.

Ok I got the picture...

The next question is how I could possibly validate this?

It is just a string,,,"5" for example.

I do not use any framework.

Sorry...I have forgotten some staff I new about validation

Ok I used a sanitize filter....what else can I do for validation?

And real_escape_string also...

But I do not know if these 2 are sufficient if the attacker tries to change "5" into "10" for example.

I am trying to use the brackets in a regular expression...see this example below:

/^[A-Z]+$/i

The above finds all English alphabet letters.

I want to add also greek letters but js does not recognize greek letters so I want to add to the above pattern this:

/[αάβγδεέζηήθιίϊΐκλμνξοόπρσςτυύϋΰφχψωώ]/i

These above are the letters or the greek alphabet along with tones.

How am I going to add the above letters in the code/pattern you see above?

In other words I want the pattern to accept English and Greek characters....as it is now only English characters are matched.

I am building an appointments app where each appointment is associated with an id....in the database.

When an appointment is going to be deleted its ID, is sent to the server and then the PHP code handles the rest.

This ID is created from the application....the question is if it is necessary to use validation rules in the PHP script in such a case?

The ID is not provided by the user....

var object={name:"you have to put a name",staff:"you have to put some staff",service:"you have to put a service"} 

Map the element the error message should go to and make it dynamic instead of hardcoding it. This could be part of your validation object.

How am I going to do the mapping...I have heard the term before...but I am not sure what to do.

Take a look at this code....

 _.each(user.validationError, function (error) {                $('.fillname').prepend(error + '<br />');                    });

it uses _each,an underscore method to display error messages in a form(if the user has filled in the appropriate input fields.)

user.validationError is an object which contains that error messages and the function just iterates over them and puts them in an element with the class you see.

The problem with this code is that the error messages are NOT displayed under each form element as I want it.

Given the fact that user.validationError is an object with 3 elements...or less if the user has filled correctly one or two input elements

How I could iterate this object and assign its values to 3 different elements....each associated with a different input form?

It must be a loop...but I need a little help.

As you know many apps in the web are accompanied by payment packages. I am trying to figure out how to store these in the db. One thought I made is to have an ENUM column in the table that business users are stored(along with other attributes related to them)...for example this column might have ENUM values of "solo" and "multi"-two names I am considering for the packages. What do you propose? Since it is something common in today's applications I believe the solution must be standardized more or less.

thanks...