PHP Forms: Form Security

An article by Prashish Rajbhandari    6 Comments

In my last two php posts, I showed you how to insert and retrieve values from the database. In the scripts done in those stones, we have not used any kind of security and those scripts were only meant to learn those topics. In this stone I will try and teach you how to secure our form from various attacks like XSS, SQL injection etc. Before diving into the code, I would like to talk about few security measures/functions that are absolutely necessary to secure our form.

Registering Globals

The first one you need to know is about Registering Globals. Prior to PHP version 4.2, register_globals setting was turned ON by default. This feature gave PHP the luxury of automatically turning form into similarly names variables. But this kind of practice caused a lot of security issues and it was preferable to use PHP Predefined Variables. It was considered more secure to use $_ENV, $_GET, $_POST, $_COOKIE, or $_SERVER instead of using the more general superglobal $_REQUEST. Hence in the later version of PHP, register_global was turned OFF by default.

Tips:

1) Turn ON register_global back ON if you have control over php installation and be very careful with how to process forms.

2) Start using super global variables such as $_GET, $_POST, $_COOKIE (commonly used) etc.

Magic Quotes

Magic Quotes will automatically escape single and double quotation marks in the values of the retrieved variables. If Magic Quotes is enabled in your server, you can undo its effect using the stripslashes() function. This will remove any backslash found in your data. It will return a string with backslashes stripped off. (\ becomes (), Double backslashes (\\) are made into a single backslash (\).

Sample:

$str = "It is Ramesh\'s php notes";

// Outputs: It is Ramesh's php notes
echo stripslashes($str);

Sample Function:

function escape_value( $data ) {
    if( ini_get ( 'magic_quotes_gpc') ) {
        $data = stripslashes($data);
        }
        return mysql_real_escape_string($data);
    }

}

We will check whether the data has already been run through magic_quotes_gps() or not. If true, we first strip the slashes so that the data doesn’t get over-escaped.
mysql_real_escape_string() function escapes a string according to the language being used.

Test magic quotes status using ini_get(). In current version of Magic Quotes, ini_get() is turned off so it return FALSE.

Use:

if ( strlen($username ) > 0 ) {
    $username = escape_value ( $username );
    } else {
        $username = NULL;
        echo "Enter username";
}

Tips:

1) Use mysql_real_escape_string() on ALL THE VARIABLES that you are inserting/updating in the mysql_query().

2) Use mysql_real_escape_string() on ALL THE VARIABLES that users can manipulate in form processing.

htmlentities

Another must-use function is the htmlentities(). This converts all the special characters into HTML entity equivalents. Thus, the browser interprets the converted HTML equivalent in a special way so that it doesn’t change the script of our code and original values are preserved.

$str = "A 'quote' is <b>bold</b>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

// Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str, ENT_QUOTES);

Tips:

1) put all the variables through mysql_real_escape_string() before querying it in the database.

2) put all the variables through htmlentities() before outputting it.

Next Part

PHP Form: Validation and Security

Subscribe to fortystones.
Follow @fortystones on Twitter.
Get updated from our Facebook Fanpage.