Jump to content

Secure form


shalendar
 Share

Recommended Posts

I've been doing a lot of work with forms(registration, email, etc.), and a guy i know pointed out that the forms don't block symbols and other characters that hackers would use to attack my site. how can i filter out/block these characters?

Link to comment
Share on other sites

Learn about regular expressions and the various preg_ functions available to you. If you google "regex" and whatever keyword defines the problem you're working on, you'll probably find a dozen regular expressions that already solve your problem, and you can just copy one into your program.You should also take the time to consider the individual pieces of data coming into your program and how they get processed. Some will be subject to attack, and others won't. Example: anything that will eventually get turned into a file or diectory name needs utmost scrutiny, since it could be used to delete or overwrite files, etc.And don't limit yourself to "user input." Any HTML file with a form in it can be downloaded and rewritten so that someone could upload a 500K novel inside a form element you originally called "hidden". You can't control what data a hacker will put inside a form element. But you can control how your program responds to it.In most cases, bad data should cause your program to send back a simple "Bad data" message and terminate flow. Don't process it, don't save it to a file or DB.

Link to comment
Share on other sites

I'm sorry, you're going to have to explain more. I don't understand what you are saying in the first paragraph.and how can the form detect "bad data"?

Link to comment
Share on other sites

A regular expression is a special expression used for matching and replacing. In PHP it's used in functions like preg_match. Say you didn't want any of these characters to be used in a username: 1357. Then you might have a statement like this:if (preg_match ('/[1357]/', $uname)) {exitRoutine()};Regular expressions can be very complicated so as to accomodate many situations. The form doesn't detect bad data. But Javascript can give immediate feedback to most users (attach a handler to your submit event), and PHP can be the final check on data quality. You as the programmer would have to determine what counts as bad in any given circumstance.Start reading here http://www.php.net/manual/en/function.preg-match.php

Link to comment
Share on other sites

Also, if you are inserting data into a database and want to prevent injection attacks instead of preventing problem characters you can escape them through a function such as mysql_real_escape_string().

Link to comment
Share on other sites

as far as the preg match goes, how do i set it to look for multiple things, such as: <>?~!#$%^&*"':;.
if (preg_match("/[<>\?~!#\$%\^&*\"':;\.]/", $string)) fail();

or

preg_replace("/[<>\?~!#\$%\^&*\"':;\.]/", "_", $string);

Link to comment
Share on other sites

not sure how you are doing your email with the form but you might want to protect that from mail() exploits toousually use javascript to check stuff first and let the user know they entered something wrong...then php in the background to clean anything you will be saving to the DB (watch for injections), displaying (watch for XSS) or sending from mail (watch for mail() exploits).just to cover the basic phphttp://bg2.php.net/manual/en/security.phpand as D'sD said regular expressions are your friend here

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...