0

There are a lot of 'secure PHP form' questions out there, but I wasn't able to find a simple definitive 'bare-minimum needed' answer.

How would I go about making a form 100% safe? Is it as simple as running a function on the output like so:

$text = $_POST['text'];
$text = doThisToMakeSafe($text);

or are there other ways someone can get malicious access via a form without submitting?

Ideally, I'd like a snippet of code I can throw into all forms so that I never have to worry about any security issues. Is this possible?

John
  • 11,985
  • 3
  • 45
  • 60
  • 1
    Secure against **what**? – SLaks Nov 07 '12 at 16:49
  • Security is all about context, not about carelessness. – mario Nov 07 '12 at 16:50
  • Each form is going to be different based on the inputs and the actions to be taken. Your best bet is to create several different ones, secure them as best you think you can, and then ask someone to critique the code or exploit the vulnerabilities. – rws907 Nov 07 '12 at 16:51
  • http://pear.php.net/package/HTML_QuickForm2 – hakre Nov 07 '12 at 16:52
  • I'm not sure what vulnerabilities exist as I'm reasonably new to PHP, I just want to avoid any issues if I put anything up publicly. My tools are mostly limited to manipulating inputted text to change the formatting or combining them with html templates – John Nov 07 '12 at 17:00

3 Answers3

3

Ideally, I'd like a snippet of code I can throw into all forms so that I never have to worry about any security issues. Is this possible?

No. It's that easy to answer. What you are looking for is not possible.

You can create a form abstraction that is just taking values and the form abstraction knows enough about how to create the output to take care about everything needed in a common place, however, the other way round is not possible - the way with calling a function on some data that passes on along.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • So doing something like a preg_replace on certain known malicious code wouldn't work? How about strip_tags or html_entities or something like that? – John Nov 07 '12 at 17:05
  • You can throw a tons of functions, replacements, magic-what-not onto a string. However you still will be blind and not safe. Instead it is crucial to understand what is required for what. For example, you can have HTML tags inside a string and you can safely output it by using [`htmlspecialchars`](http://php.net/htmlspecialchars) - you need to use that anyway with the output, even for non-HTML strings (or those you don't think about they could contain it). But just to make it clear: There is no escape and filter it all function. Also it is not what you want (even you look for it now). – hakre Nov 07 '12 at 17:08
  • So there is no common snippet of malicious code I can simply check for and replace? Maybe a list of disallowed characters? Alternatively if I use htmlspecialchars, wouldn't that remove all executable code, rendering the string completely safe? And if so, what is stopping the form from then being 100% safe? – John Nov 07 '12 at 17:18
  • If you have a list of disallowed characters for some values in your application, then you can check for that. For htmlspecialchars, that is for output only, not for input. What should I say? You still look from the wrong angle onto this. You probably want to start with input filtering: [PHP Form Input Filtering](http://stackoverflow.com/a/8720530/367456) – hakre Nov 07 '12 at 17:51
  • Also check the QuickForm link I've posted. Using such a form abstraction will help you a lot in getting things done safely. – hakre Nov 07 '12 at 17:51
  • Thanks for your help hakre, Okay, correct me if I'm wrong, but output simply formats the string, but input filtering filters it, potentially keeping any malicious code out? The Quickform link you posted is a little over my head as I'm a designer just trying to create some tools and my PHP knowledge is pretty basic. I did however read up on filters and it seems I need a sanitize filter. Would running one of the FILTER_SANITIZE on the input give me the 100%, or does that still leave the form vulnerable somehow? – John Nov 07 '12 at 18:28
0

Context aware validation is a part of making any field secure, so, what you're asking for is impossible on this premise alone.

Ryan Kempt
  • 4,200
  • 6
  • 30
  • 41
0

John, depends on what you are going to do with the value.

Most of the questions are able to prevent SQL injection. You should look up validation

Ed Heal
  • 59,252
  • 17
  • 87
  • 127