On 7/28/13 9:23 PM, Paul M Foster wrote:
On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote:
On 07/28/2013 12:38 PM, Ashley Sheridan wrote:
On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote:
Never write your own form? I'm guilty - oh, so guilty. What exactly is
a 'security hardened' form?
- All forms need a valid CSRF token to avoid CSRF attacks. This
needs to be matched between the submitted form and server-maintained
state. Do all of your forms have that? Every single one? (A GET
lookup form like a search box doesn't need it, but anything with
POST does, I'd argue.)
Yes. I wrote a "bless" class just for this purpose, which I use on all
form pages.
- Do you have a select element? Do you have error handling for when
someone submits a value for that wasn't one of the option elements?
Yes, since I realize that what comes back to me may bear no resemblence
to what I coded in HTML. Thus, I always check for allowed "SELECT"
values.
- Your text input field has a max length of 20. Does your code
return an error when the user enters a string of 100 characters?
Yes. Same answer. Putting a max length of 20 in the HTML works okay, but
the user could still submit something much longer if they are attempting
to hack the page. Thus I always check for max characters on the return.
- Are you checking for weird edge-case-y character encoding issues?
(Some versions of some browsers can be hacked by sending UTF-7
instead of UTF-8 for certain parts of the request. I don't fully
understand that stuff myself, either.)
No I don't check for this.
- You have a "number" field (HTML5). Does your PHP code handle
someone submitting a string anyway?
I don't use HTML5 tags like this, since they are not universally
supported. However, I check that numbers look like numbers on return and
strings look like strings on return. PHP has built-in functions for
this.
All this is part of my validation class.
- Are you checking all of those correctly every single time you
write a form?
Except as noted above. This is all home-grown, using native PHP
functions designed to do these things, and classes I've written. I
carefully examine each field when writing the POST-handling code with
the idea in mind that no matter what the HTML says, the return value
must conform to what *I* think it should be. No MVC framework written by
others (though I do conform to MVC paradigm).
Paul
Then you're not writing your own form tags from the sound of it; you're
writing your own Form API. Still an improvements. :-)
Now, let's talk about form accessibility...
--Larry Garfield
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
