Secure form

[shalendar]

I've been doing a lot of work with forms(registration, email, etc.), and a guy i know pointed out that the forms don't block symbols and other characters that hackers would use to attack my site. how can i filter out/block these characters?

[jeffman]

Learn about regular expressions and the various preg_ functions available to you. If you google "regex" and whatever keyword defines the problem you're working on, you'll probably find a dozen regular expressions that already solve your problem, and you can just copy one into your program.You should also take the time to consider the individual pieces of data coming into your program and how they get processed. Some will be subject to attack, and others won't. Example: anything that will eventually get turned into a file or diectory name needs utmost scrutiny, since it could be used to delete or overwrite files, etc.And don't limit yourself to "user input." Any HTML file with a form in it can be downloaded and rewritten so that someone could upload a 500K novel inside a form element you originally called "hidden". You can't control what data a hacker will put inside a form element. But you can control how your program responds to it.In most cases, bad data should cause your program to send back a simple "Bad data" message and terminate flow. Don't process it, don't save it to a file or DB.

[shalendar]

I'm sorry, you're going to have to explain more. I don't understand what you are saying in the first paragraph.and how can the form detect "bad data"?

[jeffman]

A regular expression is a special expression used for matching and replacing. In PHP it's used in functions like preg_match. Say you didn't want any of these characters to be used in a username: 1357. Then you might have a statement like this:if (preg_match ('/[1357]/', $uname)) {exitRoutine()};Regular expressions can be very complicated so as to accomodate many situations. The form doesn't detect bad data. But Javascript can give immediate feedback to most users (attach a handler to your submit event), and PHP can be the final check on data quality. You as the programmer would have to determine what counts as bad in any given circumstance.Start reading here http://www.php.net/manual/en/function.preg-match.php

[Synook]

Also, if you are inserting data into a database and want to prevent injection attacks instead of preventing problem characters you can escape them through a function such as mysql_real_escape_string().

[shalendar]

okay, thanks for the help.as far as the preg match goes, how do i set it to look for multiple things, such as: <>?~!#$%^&*"':;.

[shadowayex]

mysql_real_escape_string() is your best friend! I would recommend using it when getting any data that is/can be edited by the user (even URL information).

[Synook]

as far as the preg match goes, how do i set it to look for multiple things, such as: <>?~!#$%^&*"':;.

if (preg_match("/[<>\?~!#\$%\^&*\"':;\.]/", $string)) fail();

or

preg_replace("/[<>\?~!#\$%\^&*\"':;\.]/", "_", $string);

[tyweiss]

not sure how you are doing your email with the form but you might want to protect that from mail() exploits toousually use javascript to check stuff first and let the user know they entered something wrong...then php in the background to clean anything you will be saving to the DB (watch for injections), displaying (watch for XSS) or sending from mail (watch for mail() exploits).just to cover the basic phphttp://bg2.php.net/manual/en/security.phpand as D'sD said regular expressions are your friend here