a brief discussion of securing PHP input

A very brief tutorial/comment on securing inputs in your PHP script to prevent HTML, JavaScript, SQL or other injection type attacks. There is basically nothing to this, it is more a matter of using a bit of common sense and not leaving open doors which are extremely simple to close without effort.

A PHP input takes in variables from a user either from a form, or directly from the URL linking to the page. In either case, a malicious user can insert data which contains scripting elements and distorts your page or, much worse, alters or gives access to your database and/or site admin. General input error checking works, but only for data entered through your site (example form.php below).

<html>
<head>
....
</head>
<body>
<form action="action.php">
<input type="text" name="urlfield" maxlength="80" length="20">
<br />
<input type="text" name="inputfieldtext" maxlength="40" length="20">
<br />
<input type="password" name="inputfieldpass" maxlength="40" length="20">
<br />
<input type="submit" name="submit" value="submit">

</form>
</body>
</html>

A malicious user can point a URL to your site, which they then populate with data themselves from their end. For example they make a form on their own site, which points to your results page, thereby avoiding your data integrity check before submission. In order to “allow” for this, and prevent the malicious user’s efforts getting through and doing damage, sterilising should be performed on the input before using it (example action.php below).

<?php
$url= htmlspecialchars($_REQUEST['urlfield']);
$text = htmlspecialchars($_REQUEST['inputfieldtext']);
$pass= htmlspecialchars($_REQUEST['inputfieldpass']);
?>

or to apply it to a more “dangerous” scenario where a fuller spectrum of special characters are used:

<?php
$input= htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $input; // &lt;a href='test'&gt;Test&lt;/a&gt;
?>

What this does is take any input data and use PHP’s inbuilt htmlspecialchars($str[, ENT_QUOTES]) function to encode HTML’s special characters so that they are not interpreted by the browser. I use the ENT_QUOTES option in order to include single quotes in the encoding. For absolute encoding use PHP’s htmlentities($str[, ENT_QUOTES]) function. This encodes ALL HTML special characters, while htmlspecialchars($str[, ENT_QUOTES]) only encodes the basic HTML special characters, which is normally useful enough for most everyday web programming.

Advertisements

some cool stuff, and an update from me

I found a few cool things on my perusal of Uncrate recently, so I thought I’d share them with you. They’re ALL stuff I would love to have, either for their cool, or just ’cause I could. First off we have the space trampoline which is basically two courts on a trampoline where you bounce and compete against someone to get a ball through a tunneled, netted gantry and past them. Essentially a cross between volley-ball and trampolining, the game of Spaceball was invented in the early 1960s by trampoline pioneer George Nissen. It has been hailed by Scott Carpenter, one of NASA’s original Mercury Seven astronauts, as

the best conditioning exercise for space travel

The game requires hand-eye coordination, balance, timing, and trickery to get your ball past your oponent to the other side.

Next up is the predator pool table from Hurricaine Billiards. Nothing much to say here really, just plain awesome, and it would great in any Man Cave. Also looking perfect in any man cave would be the markham console bar from Pottery Barn. Just a very stylish, rustic look bar for the man who is a man. To serve your drinks from the bar, a real man’s set of tumblers is required, and these concrete tumblers from Charles and Marie are just the thing. Rugged, sturdy, and solid.

For going a little over the top you could get yourself a fully chromed lamborghini murcielago which has been seen in London. Not quite my cup of tea (but I wouldn’t say no to a Lamborghini of any sort!), but sure to tempt somebody if it comes up for sale. [thanks to jalopnik.com for the Lambo tip off]

Back in the real world, ie stuff I may actually get in the semi-near future, I had a couple of monologues over the past week regarding Apple and their App Store so I thought I’d better have a little spiel about good Apple stuff. I did say that I don’t hate Apple and, while I’m not a fan-boi, I do love their products. They are definitely class. An excellent combining of aesthetics and design, with functioning products that definitely achieve their purpose. While generally more expensive than their counterparts, I personally feel that the price is somewhat justified. That said, I think computers (and most consumer goods) do cost a little too much for the most part. Because I am well aware that my opinion carries a massive amount of weight, and influences everyone that matters, I just thought I’d out this out there and balance my past rants about Apple. I still think they are being a bit out of synch with reality but, that said, who knows what cunning plan Apple has and is working towards with their latest actions. We all know that Apple has to be one of the slickest PR and marketing operations in the world, and they would have expected the backlash they are currently receiving.

I spent quite a bit of time today playing with T-SQL and SQL Server, and had a fair amount of fun, I have to say. While at first the vaguaries and slight variations between MySQL (my native SQL for all my PHP work) and T-SQL syntax were “fluffy”, I cam around pretty quick and caught on to some nice tricks for my coding there. Admittedly I hadn’t done a great amount of Prepared Statements and Stored Functions in MySQL either, but between T-SQL and SQL Server they really came together tidily and easily. I’m liking Microsoft’s efforts there so far. I’ll have to put up a few little tricks tomorrow as a mini-tutorial, just to share something.

I also noticed today that one of my YouTube videos from a prior post has been removed at owner’s request. A bit stink really as it’s been on YouTube for a couple of years, and only just got pulled on the last few days. I’m pretty certain it’s not my massive viewership stats on here that have pushed traffic over to it and had it pulled, but I’ll be trying to find another copy of it in the next few days to get it back in action.

Enough from me now, back to the study thing now that I’m home (I wrote most of this in breaks at work!!).