PHP: Sanitizing Forms

**Redcore** · 06-22-2009, 11:05 AM

Security is always a big deal and something we don't bring up very often on this forum as this is largely a help forum, not a tutorial site...and it's incumbent on each developer to ensure their code is safe rather than the moderators/helpers here holding their hand through everything. That said, some guidance is always nice too :) There are tons of articles out there, so I'm not going to go crazy with examples - and this isn't designed to be an "end-all" security post, but rather a few nifty articles and a start of discussion for others as well.

One big deal is sanitizing ANYTHING that is passed from a user on your site. I'm not a security expert as I don't deal as much with security things these days since I largely work on an intranet system for my office, but there are fundamental things everyone should do regardless. PHP5 has a great new function called "filter_var" and there are tons of filter flags you can put into it to do a myriad of things. Here is a great article on TutsPlus regarding this function:
http://net.tutsplus.com/tutorials/ph...h-php-filters/

If you have the access rights to do so, you should turn off magic_quotes (addslashes/removeslashes manually is *probably* best - extra work, but extra control) as well as register_globals. If you like, you may also want to turn errors off that way "villains" can't see what is wrong with your code if things aren't working properly and don't have clues on how to use that against you. This is probably easier to do if you have a secondary server that you can test on. I don't run things that way currently, so I have errors on (although turned down quite a bit).

SQL injection is one of the worst things that can happen to your site. It not only affects your site, but also the integrity of the data in your database. If you use MySQL, you can use the mysqli_real_escape_string function to escape special characters and therefore sanitize the form element:

PHP Code:


			
$formfield = mysqli_real_escape_string($_POST['formfield']);

For work, we exclusively use MS SQL, so I filter all user vars with PHP's filter_var...

PHP Code:


			
function runFilter($var)

    **

    $var = str_replace("'", "''", $var);

    $var = filter_var($var, FILTER_SANITIZE_STRING, FILTER_SANITIZE_MAGIC_QUOTES);

    return $var;

    }



$_POST = array_map('runFilter', $_POST);

I include this with all form handler pages. It's a relatively new thing I've put in, so it may be kinda weird for some. I should have commented it more - I'm not sure why I did the string replace - I'm sure there's a reason though.

Another thing you can do - especially with comment/contact forms, is utilizing captcha. Here's a popular library:
http://recaptcha.net/plugins/php/

Some developers flat out do not like captcha, don't want anything to do with it, and regularly encourage others not to bother with it. My opinion is that if it keeps even 40% of bots out, it's worth it - so long as it doesn't destroy the user's experience on the site either.

That's about all I have for now. I'm more interested in others contributing more rather than trying to put a ton of stuff up... :P

neonjuice · 06-23-2009, 08:45 AM

Thank you very much. I am still learning PHP inside out and this really helps. Thank you.

06-22-2009, 11:05 AM	#1 (permalink)
Redcore Design Team Member Join Date: Aug 2007 Location: Jamestown, CA Posts: 713 OS: Linux Mint 7 My System	PHP: Sanitizing Forms Security is always a big deal and something we don't bring up very often on this forum as this is largely a help forum, not a tutorial site...and it's incumbent on each developer to ensure their code is safe rather than the moderators/helpers here holding their hand through everything. That said, some guidance is always nice too :) There are tons of articles out there, so I'm not going to go crazy with examples - and this isn't designed to be an "end-all" security post, but rather a few nifty articles and a start of discussion for others as well. One big deal is sanitizing ANYTHING that is passed from a user on your site. I'm not a security expert as I don't deal as much with security things these days since I largely work on an intranet system for my office, but there are fundamental things everyone should do regardless. PHP5 has a great new function called "filter_var" and there are tons of filter flags you can put into it to do a myriad of things. Here is a great article on TutsPlus regarding this function: http://net.tutsplus.com/tutorials/ph...h-php-filters/ If you have the access rights to do so, you should turn off magic_quotes (addslashes/removeslashes manually is probably best - extra work, but extra control) as well as register_globals. If you like, you may also want to turn errors off that way "villains" can't see what is wrong with your code if things aren't working properly and don't have clues on how to use that against you. This is probably easier to do if you have a secondary server that you can test on. I don't run things that way currently, so I have errors on (although turned down quite a bit). SQL injection is one of the worst things that can happen to your site. It not only affects your site, but also the integrity of the data in your database. If you use MySQL, you can use the mysqli_real_escape_string function to escape special characters and therefore sanitize the form element: PHP Code: `$formfield = mysqli_real_escape_string($_POST['formfield']);` For work, we exclusively use MS SQL, so I filter all user vars with PHP's filter_var... PHP Code: `function runFilter($var) $var = str_replace("'", "''", $var); $var = filter_var($var, FILTER_SANITIZE_STRING, FILTER_SANITIZE_MAGIC_QUOTES); return $var; } $_POST = array_map('runFilter', $_POST);` I include this with all form handler pages. It's a relatively new thing I've put in, so it may be kinda weird for some. I should have commented it more - I'm not sure why I did the string replace - I'm sure there's a reason though. Another thing you can do - especially with comment/contact forms, is utilizing captcha. Here's a popular library: http://recaptcha.net/plugins/php/ Some developers flat out do not like captcha, don't want anything to do with it, and regularly encourage others not to bother with it. My opinion is that if it keeps even 40% of bots out, it's worth it - so long as it doesn't destroy the user's experience on the site either. That's about all I have for now. I'm more interested in others contributing more rather than trying to put a ton of stuff up... :P __________________ Free Resources PC Protection - Comodo Firewall \| AVG Anti-Virus \| WinPatrol \| Ad-Aware \| Spybot S&D \| SpywareBlaster \| Web Design/Programming - KompoZer (Editor) \| Paint.NET (Graphic) \| GIMP+GIMPShop (Graphic) \| FileZilla (FTP Client) \| Free Hosting \|**

06-23-2009, 08:45 AM	#2 (permalink)
neonjuice Registered User Join Date: Dec 2008 Location: Minnesota Posts: 113 OS: Vista Ultimate 64 bit SP1. Linux Ubuntu, XP Pro	Re: PHP: Sanitizing Forms Thank you very much. I am still learning PHP inside out and this really helps. Thank you.