On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote: > On 07/28/2013 12:38 PM, Ashley Sheridan wrote: > >On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote: > > > >> > >>Never write your own form? I'm guilty - oh, so guilty. What exactly is > >>a 'security hardened' form? > > - All forms need a valid CSRF token to avoid CSRF attacks. This > needs to be matched between the submitted form and server-maintained > state. Do all of your forms have that? Every single one? (A GET > lookup form like a search box doesn't need it, but anything with > POST does, I'd argue.) Yes. I wrote a "bless" class just for this purpose, which I use on all form pages. > > - Do you have a select element? Do you have error handling for when > someone submits a value for that wasn't one of the option elements? Yes, since I realize that what comes back to me may bear no resemblence to what I coded in HTML. Thus, I always check for allowed "SELECT" values. > > - Your text input field has a max length of 20. Does your code > return an error when the user enters a string of 100 characters? Yes. Same answer. Putting a max length of 20 in the HTML works okay, but the user could still submit something much longer if they are attempting to hack the page. Thus I always check for max characters on the return. > > - Are you checking for weird edge-case-y character encoding issues? > (Some versions of some browsers can be hacked by sending UTF-7 > instead of UTF-8 for certain parts of the request. I don't fully > understand that stuff myself, either.) No I don't check for this. > > - You have a "number" field (HTML5). Does your PHP code handle > someone submitting a string anyway? I don't use HTML5 tags like this, since they are not universally supported. However, I check that numbers look like numbers on return and strings look like strings on return. PHP has built-in functions for this. All this is part of my validation class. > > - Are you checking all of those correctly every single time you > write a form? Except as noted above. This is all home-grown, using native PHP functions designed to do these things, and classes I've written. I carefully examine each field when writing the POST-handling code with the idea in mind that no matter what the HTML says, the return value must conform to what *I* think it should be. No MVC framework written by others (though I do conform to MVC paradigm). Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
