NYCPHP Meetup

NYPHP.org

[nycphp-talk] Filtering form input

csnyder chsnyder at gmail.com
Thu Jul 27 18:50:11 EDT 2006


On 7/27/06, Aaron Fischer <agfische at email.smith.edu> wrote:
> Greetings listers,
>
> I'm working on some new forms and would like to make them more secure by
> filtering the input.  I recently purchased and have at least partially
> digested Essential PHP Security by Chris Shiflett and The PHP Anthology
> by Harry Fuecks.  Based on this material I can see two possible paths ahead.
>
> 1.  Use the clean_array() approach and filter input data using PHP
> methods and/or regex expressions.
> 2.  Install the Pear package HTML_QuickForm and use for validating
> (filtering) input data.
>
> I was leaning toward #1 but have very little experience with regex.
> It's probably implausible, particularly given time constraints, for me
> to attempt to build regex expressions for my form fields.  Are there any
> resources online for regex expressions that people would recommend for
> filtering input?  Secondly, in Chris's book I see ctype_alnum() and
> html_entities() as two methods recommended to use for filtering.  Are
> there other PHP methods folks would recommend?
>
> I slogged through Pear and HTML_QuickForm a bit.  I haven't worked with
> Pear packages yet and am in a shared hosting environment, so I'm
> currently attempting to see what, if anything, is enabled and/or
> installed for Pear on my server.
>
> Would appreciate any advice or recommendations for how to proceed with
> either method #1 or #2.  At this point I would be satisfied with minimal
> improvements to security as it would be a step in the right direction
> and I can improve my filtering techniques during the next project.
>
> Thanks,
>
> -Aaron


The complexity of the solution depends one what, exactly, you need to
accomplish. Assuming you are working on a PHP+MySQL application, the
simplest possible approach is just to use mysql_real_escape_string()
on all values that are inserted into the database, and htmlentities()
on all values that come out of the database for display on a web page.

This is all that "security" really demands.

You may also wish to avoid any error messages that might occur when
your application tries to insert a string into an integer field. The
is_numeric() function is great for this. I advise against using the
ctype functions, as they are somewhat counterintuitive when it comes
to checking empty values.

It's also a good idea to check the length of strings before inserting
them into varchar fields, using the strlen() function. MySQL won't
throw an error if you insert a string that's too long; you'll only
find out later that the string was truncated and the data lost.

Beyond security, the smooth functioning of your application probably
depends on using some techniques to determine that user-submitted
values match expected input, such as strings without punctuation (for
filenames), choices from a predetermined list of values (use
in_array()), or strings that look like email addresses.

Email addresses are about the only thing you need complex regex for;
John Coggeshall wrote a tutorial on this that has a good, simple test:
http://www.zend.com/zend/spotlight/ev12apr.php
Avoid the temptation to ask the MX server whether the address exists;
most servers these days refuse to give any sort of definitive answer.


-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list