cmccully
07 Sep 2010, 11:17 PM
Hi All,
I'm a bit new to web development and I think I'm at the point where I know just enough to be really dangerous. I have some questions about filtering the user inputs before submitting to the database.
What I am considering is a two stage validation wherein the input fields are checked first with JavaScript to ensure all the required fields are present and valid. Once these checks pass then the form is sent to PHP to check the data again before it is submitted to the database.
I see the JavaScript as just a convenience to the user as I assume a hacker will just craft a script to send malicious code directly to the server.
For the server side checks I am relying on PHP's filter functions as shown below. All user forms will be using SSL.
Will these functions eliminate the possibility of a hacker injecting code?
Is there anything else I should be doing?
I am concerned that FILTER_SANITIZE_EMAIL allows a lot of characters that I don't normally see in email address. Are all of these characters $-_.+!*'{}|^~[]`#%/?@&= necessary to accept valid email addresses?
If I validate the data in PHP then redisplay the HTML form with the invalid inputs present does this present any security risk if the form fields contain malicious code?
Any help / opinions are greatly appreciated. Thanks!
The form:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Form Filter Test</title>
<script type="text/javascript">
function verifyForm()
{
//Initialize Variables
valid = true;
document.getElementById('nameLabel').style.color = "black";
document.getElementById('emailLabel').style.color = "black";
var userData = document.form1;
//Check that user data exists
if (userData.name.value == "" || userData.email.value =="")
{
alert("Please fill out all fields.");
valid = false;
}
if (userData.name.value == "")
{
document.getElementById('nameLabel').style.color = "red";
}
if (userData.email.value == "")
{
document.getElementById('emailLabel').style.color = "red";
}
//Check validity and length of user data.
return valid;
}
</script>
</head>
<body>
<form id="form1" name="form1" method="post" action="formFilterTest.php" onsubmit="return verifyForm();">
<label for="name" id="nameLabel">Name:</label>
<input type="text" name="name" size="50" maxlength="50" />
<br />
<label for="email" id="emailLabel">Email:</label>
<input type="text" name="email" size="50" maxlength="50"/>
<br />
<input type="submit" name="Submit" value="Submit" />
</form>
</body>
</html>
Server side
<?php
// formFilterTest.php
$name = "";
$email = "";
$name = $_POST['name'];
$email = $_POST['email'];
// Verify required fields exist.
if (!$name || !$email)
{
echo "Please fill out all the required fields";
//Resubmit form with offending fields highlighted.
exit;
}
// Filter user data.
$name = filter_var($name, FILTER_SANITIZE_STRING);
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
// Filter user data length.
$name = substr($name, 0, 49);
$email = substr($email, 0, 49);
// Verify email format.
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo "Your email address is invalid!";
//Resubmit form with email highlighted.
exit;
}
// I guess we can trust the information now so
//process the user data.
echo "Name= " . $name;
echo "<br /><br />";
echo "Email= " . $email;
?>
I'm a bit new to web development and I think I'm at the point where I know just enough to be really dangerous. I have some questions about filtering the user inputs before submitting to the database.
What I am considering is a two stage validation wherein the input fields are checked first with JavaScript to ensure all the required fields are present and valid. Once these checks pass then the form is sent to PHP to check the data again before it is submitted to the database.
I see the JavaScript as just a convenience to the user as I assume a hacker will just craft a script to send malicious code directly to the server.
For the server side checks I am relying on PHP's filter functions as shown below. All user forms will be using SSL.
Will these functions eliminate the possibility of a hacker injecting code?
Is there anything else I should be doing?
I am concerned that FILTER_SANITIZE_EMAIL allows a lot of characters that I don't normally see in email address. Are all of these characters $-_.+!*'{}|^~[]`#%/?@&= necessary to accept valid email addresses?
If I validate the data in PHP then redisplay the HTML form with the invalid inputs present does this present any security risk if the form fields contain malicious code?
Any help / opinions are greatly appreciated. Thanks!
The form:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Form Filter Test</title>
<script type="text/javascript">
function verifyForm()
{
//Initialize Variables
valid = true;
document.getElementById('nameLabel').style.color = "black";
document.getElementById('emailLabel').style.color = "black";
var userData = document.form1;
//Check that user data exists
if (userData.name.value == "" || userData.email.value =="")
{
alert("Please fill out all fields.");
valid = false;
}
if (userData.name.value == "")
{
document.getElementById('nameLabel').style.color = "red";
}
if (userData.email.value == "")
{
document.getElementById('emailLabel').style.color = "red";
}
//Check validity and length of user data.
return valid;
}
</script>
</head>
<body>
<form id="form1" name="form1" method="post" action="formFilterTest.php" onsubmit="return verifyForm();">
<label for="name" id="nameLabel">Name:</label>
<input type="text" name="name" size="50" maxlength="50" />
<br />
<label for="email" id="emailLabel">Email:</label>
<input type="text" name="email" size="50" maxlength="50"/>
<br />
<input type="submit" name="Submit" value="Submit" />
</form>
</body>
</html>
Server side
<?php
// formFilterTest.php
$name = "";
$email = "";
$name = $_POST['name'];
$email = $_POST['email'];
// Verify required fields exist.
if (!$name || !$email)
{
echo "Please fill out all the required fields";
//Resubmit form with offending fields highlighted.
exit;
}
// Filter user data.
$name = filter_var($name, FILTER_SANITIZE_STRING);
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
// Filter user data length.
$name = substr($name, 0, 49);
$email = substr($email, 0, 49);
// Verify email format.
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo "Your email address is invalid!";
//Resubmit form with email highlighted.
exit;
}
// I guess we can trust the information now so
//process the user data.
echo "Name= " . $name;
echo "<br /><br />";
echo "Email= " . $email;
?>