Discussions
Programming a Safe Web Form
Posted by misterDog • 8/07/08 • Subscribe to this Discussion [RSS] • Report This Topic
Tags: forms, web, web forms
So I have a simple form, basically like the one at the link. With a form like that, people can enter anything, including hacks.. I realize everyone knows this.
My question is, is there a PHP function or sample code that will scrub the entry for dangerous characters, so it will then be safe to submit the entered/scrubbed value to the database, without blowing up my site?
For instance, how does Blog Catalog protect itself from malicious form submissions?
I understand about use of captchas, and limiting access to forms, but after all that, it's still necessary to make sure the values submitted in the forms are not going to damage anything. That is the step I am focused on now.
As always, any and all information and commentary will be appreciated immensely.
Best regards,
MisterDog
aka Dan Allen
Here is the demo link: danallen.com/zDemos/demoForm.htm
User Comments
-
hey danny where you been-
First things first. Kat, you sound better on the phone than anyone I ever talked to before.
During the day, I run Nascar, no media allowed.
At night and on weekends, I am running Formula 1 Indy. You can monitor the action at my site.
To reduce the weight on my race vehicle, I am dumping most of the stuff from my current site to a stash people can spend time with, if they want. My racing site has some free stuff, but the juiciest material requires a subscription. This is what I spend my time on, plus doing sites for friends and family.
-
-
I use jotform.com and they do it all for me. It is free and it looks pro and you can code it too.-
Thanks latincool79. I am not sure I get it. Can you post a link to a form you are running now, made with jotform, so I can see one in action?
-
-
inglesperu.blogspot.com/
You can code it to accept certain caracters and stuff (like email or only numbers). Mine is simple but now jotform.com offers many designs.-
thank you latincool, simple is good. Makes it understandable.
Jotform is cool. It gives a way to build the form, but then, when someone uses the form, it is submitted to their server for processing. Then you get the results back through a widget in your site.
My goal, maybe a fool's goal, is to process the forms on my server, with my code. I am looking for the form processing code. Making the form is not my problem, it's filtering the input, to make sure I don't get hacked.
I need to own the form processing software. That is what this thread is about. -
Well, good luck mate. Their must be some savvy guys around here.
-
you're savvy, whatcha talking about?
I am going to try this question on a programmers message board, might have better luck there.
-
-
Turn Magic Quotes on if you want to be lazy.
str_replace() is your friend if you're not familiar with regular expressions. The same concept can be applied to profanity filtering.
Use intval() where appropriate.
For example:
$sql = mysql_query("SELECT penislol FROM lame WHERE id = '".intval($id)."'");
if(!mysql_query("INSERT INTO articles (title, author, body) VALUES ('".str_replace("fuck","****",$_POST["title"])."', '".$_COOKIE["member_id"]."', '".str_replace("fuck","****",$_POST["body"])."');"))
{
die(mysql_error());
}-
there is a savvy one
-
Thank you Voodookobra.
I have been thinking of using str_replace() . My problem with that is how to come up with a comprehensive, bullet-proof list of characters or character-sequences to look for. Only takes missing one, and BOOM.
Not worried about profanity, only sql injection, or breaking the PHP with bogus characters. For instance, ` can break stuff, so I know to not let that in. Is there a complete list of characters to disallow?
Or, what about the other option, of allowing only certain characters? Seems to me, that would be more safe.
As for lazy, it's the only thing I care about. I am looking up magic quotes now. -
If you only want to allow certain characters, look up regular expressions.
www.regular-expressions.info/ -
ok, thx for the tip on regexp.
any leads on a list of characters to exclude with str_replace()
I am in evaluate options mode.
YOU are the BEST
-
-
here is some info on this topic from a thread I started on Experts-exchange
www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Da...
LordOfPorts
I am unfortunately not aware of any one particular security framework however the Pear repository pear.php.net/packages.php is a very useful source of various modules related to database interaction as well as the ADODB adodb.sourceforge.net/ . Their code often involves best practices when it comes to interacting with a database as e.g. when you insert data and they offer functions that escape problematic characters however it would be fairly simple for you to implement the examples above, e.g.:
1. Removing HTML code from user entered data in the form, only the paragraph and break tags are allowed so any attempts to inject script will be prevented:
$sUserComment = strip_tags($_POST['txtComment'], '');
2. Next step, use the mysql_real_escape_string function to escape special characters prior to inserting the data into the database (requires a connection to the database to be already established):
$sUserComment = mysql_real_escape_string($sUserComment);
3. Another approach, use the htmlentities function to convert characters that have a special meaning to their HTML equivalents:
$sUserComment = htmlentities($_POST['txtComment'], ENT_QUOTES);
$sUserComment = mysql_real_escape_string($sUserComment);
At this point you can insert the data into the database having removed or escaped potentially dangerous characters. These are relatively simple but effective steps to prevent attempts to inject Javascript or SQL commands.
Add Your Comment
Login to leave a message.
