Re: PHP Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So, you have a form, and you have a field named fname...
As you suggest, this will typically be available in $_POST['fname'], which you then wish to store in a database.

The minimum checks for any variable, should be for length and type.
In this case, I will assume you would like fname to be a string, and with a minimum length of 2 characters, and a maximum length of 100 characters.
Even though the database will support 255 in a VARCHAR, sanity tells us that any name which is longer than 100 characters is likely to be somebody trying something stupid.

So, in code, this check might look something like this..
<?php

$fname = 'Full Name';

if( strlen( $fname ) < 2 && strlen( $fname ) > 100 && is_string( $fname ) )
{
        echo "$fname is a valid name";
}
else
{
        echo "The variable supplied is invalid";
}

?>

This sort of minimal validation will work fine and you can have confidence that the variable is of the correct type and length.
However, this code would need to be repeated for _every_ form field which is a text or textarea field. That is a lot of code, so we can create a re-usable function, which we need to write only once to check.

<?php

$fname = 'Full Name';

if( isValidString( $fname, 2, 100 ) )
{
        echo "$fname is valid";
}
else
{
        echo "Full Name is invalid";
}

/**
 * Validate a string
 * @param       string  $string
 * @param       int     $min
 * @param       int     $max
 * @return      bool
 */
function isValidString( $string, $min, $max )
{
        if( strlen( $string ) < 2 && strlen( $string ) > 100 && is_string( $string ) )
        {
                return true;
        }
        return false;
}

?>

So, this function can now be used on any of your text based fields... however, whilst this function tells you if the variable is valid or not, there is no way to tell exactly why the variable is invalid. The end user would not know what they had done wrong.
So, rather than returning false, the function could return an error message if validation fails.
The following code adds an array of errors, which can be used to show an end user what the error is.
Also, a check has been put into the function that only alpha characters may be used, with spaces.
You may add whatever you need to the validation function, as you needs require.
<?php

$fname = 'Full Name';

$valid = isValidString( $fname, 2, 100 );

if( $valid === true )
{
        echo "$fname is valid";
}
else
{
        foreach( $valid as $error )
        {
                echo "$error\n";
        }
}

/**
 * Validate a string
 * @param       string  $string
 * @param       int     $min
 * @param       int     $max
 * @return      bool on success, false otherwise
 */
function isValidString( $string, $min, $max )
{
        // errors array
        $errors = [];

        if( strlen( $string ) <= 2 )
        {
                $errors[] = 'String is too short';
        }

        if( strlen( $string ) >= 100 )
        {
                $errors[] = 'String is too long';
        }

        if( !is_string( $string ) )
        {
                $errors[] = 'Variable must be a string';
        }

        if( !ctype_alpha( str_replace( ' ', '', $string ) ) )
        {
                $errors[] = 'String must consist of alpha characters';
        }

        // return true if no errors, or array of errors
        return sizeof( $errors ) == 0 ? true : $errors;
}
?>

Enjoy
Kev






On Thu, Jun 25, 2020 at 10:24 PM Ashkar Dev <ashkardev@xxxxxxxxx> wrote:
Thanks for your replays,

but could any of you give some codes of validating a form field, for example, getting the first name field text and inserting it to the database
at this line:

$firstName=$_POST('fname');

which functions of PHP I should use here to put  $_POST('fname')  on to remove tags from it, and prevent other security-related attacks?

And if I used pg_query( , ) is it be safe if I don't use PDO? how it be safe.

And If anyone needs to learn PHP, which website is good to provide non-copyrighted codes? while PHP manual codes are copyrighted so what's the benefit of reading the manual without using the codes they provide?





On Thu, Jun 25, 2020 at 9:51 AM Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:


On June 24, 2020 11:36:15 PM UTC, Kevin Waterson <kevin.waterson@xxxxxxxxx> wrote:
>The best way to learn, is to start coding, and ask lots of questions.
>There are plenty of sites on the web which provide shitty code.
>DO NO COPY AND PASTE.
>While the urge to simply copy somebody's code, and paste it into your
>application is inviting, this practice only leads to heartache and
>tears.
>You are certainly on the right tract when asking about security. While
>you
>can write insecure code in any language, PHP perhaps lowers the bar in
>this
>regard.
>As you question relates to database, let's start there.
>PHP provides PDO for database operations, and allows variable binding
>and
>prepared statements.
>Prepared statements are great for stopping SQL injection, but this is a
>last stop.
>The real question is, Why would you send data to a database query
>without
>being sure of the type and length of the data you are sending.
>Validation:
>Everything coming from userland (eg: a website) should be regarded as
>insecure.
>Sure, you can put some HTML5, or _javascript_, validations on an email
>address, but changing the form type from "email" to "text" is a trivial
>task.
>To be absolutely sure of the content of input, you must create you own
>validations.
>How long can this address be? eg: If the email is being stored in a
>VARCHAR
>field, then 255 would be the max length.
>It must also contain a "@" character.
>It must end in ".something"
>These validations must be performed BEFORE you send the email address
>to
>the database.
>
>I, and many others here, are happy to answer your questions, and it
>sounds
>like you are beginning at the right place.
>
>Kev
>
>On Thu, Jun 25, 2020 at 6:56 AM Ashkar Dev <ashkardev@xxxxxxxxx> wrote:
>
>> Hi all,
>> could anyone give some detail about how to make a PHP web application
>> secure?
>> for example validation of form while using a PostgreSQL database,
>>
>> by the way, could you explain how users can freely learn PHP while
>the
>> codes from the PHP website are copyrighted, are developers be able to
>use
>> codes from the PHP website or manual?
>>

To add to the security question, have a look at the OWasp top 10 (https://owasp.org/www-project-top-ten/ ) and things like the PHP security advent calendar (https://blog.ripstech.com/2018/php-security-advent-calendar/ )
Thanks,
Ash

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux