18
2011
PHP Forms: Form Security
An article by 
In my last two php posts, I showed you how to insert and retrieve values from the database. In the scripts done in those stones, we have not used any kind of security and those scripts were only meant to learn those topics. In this stone I will try and teach you how to secure our form from various attacks like XSS, SQL injection etc. Before diving into the code, I would like to talk about few security measures/functions that are absolutely necessary to secure our form.
Registering Globals
The first one you need to know is about Registering Globals. Prior to PHP version 4.2, register_globals setting was turned ON by default. This feature gave PHP the luxury of automatically turning form into similarly names variables. But this kind of practice caused a lot of security issues and it was preferable to use PHP Predefined Variables. It was considered more secure to use $_ENV, $_GET, $_POST, $_COOKIE, or $_SERVER instead of using the more general superglobal $_REQUEST. Hence in the later version of PHP, register_global was turned OFF by default.
Tips:
1) Turn ON register_global back ON if you have control over php installation and be very careful with how to process forms.
2) Start using super global variables such as $_GET, $_POST, $_COOKIE (commonly used) etc.
Magic Quotes
Magic Quotes will automatically escape single and double quotation marks in the values of the retrieved variables. If Magic Quotes is enabled in your server, you can undo its effect using the stripslashes() function. This will remove any backslash found in your data. It will return a string with backslashes stripped off. (\ becomes (), Double backslashes (\\) are made into a single backslash (\).
Sample:
$str = "It is Ramesh\'s php notes"; // Outputs: It is Ramesh's php notes echo stripslashes($str);
Sample Function:
function escape_value( $data ) {
if( ini_get ( 'magic_quotes_gpc') ) {
$data = stripslashes($data);
}
return mysql_real_escape_string($data);
}
}
We will check whether the data has already been run through magic_quotes_gps() or not. If true, we first strip the slashes so that the data doesn’t get over-escaped.
mysql_real_escape_string() function escapes a string according to the language being used.
Test magic quotes status using ini_get(). In current version of Magic Quotes, ini_get() is turned off so it return FALSE.
Use:
if ( strlen($username ) > 0 ) {
$username = escape_value ( $username );
} else {
$username = NULL;
echo "Enter username";
}
Tips:
1) Use mysql_real_escape_string() on ALL THE VARIABLES that you are inserting/updating in the mysql_query().
2) Use mysql_real_escape_string() on ALL THE VARIABLES that users can manipulate in form processing.
htmlentities
Another must-use function is the htmlentities(). This converts all the special characters into HTML entity equivalents. Thus, the browser interprets the converted HTML equivalent in a special way so that it doesn’t change the script of our code and original values are preserved.
$str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str); // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str, ENT_QUOTES);
Tips:
1) put all the variables through mysql_real_escape_string() before querying it in the database.
2) put all the variables through htmlentities() before outputting it.
Next Part
PHP Form: Validation and Security
Subscribe to fortystones.
Follow @fortystones on Twitter.
Get updated from our Facebook Fanpage.
Related Posts
16 Comments + Add Comment
Leave a comment
Fortystones Lab Projects
Categories
- Articles (43)
- Idea (2)
- Review (5)
- Social Media (29)
- Trending Topics (13)
- Collection (29)
- How To (27)
- Linux (28)
- News (15)
- PHP (6)
- Project (2)
- Tutorials (36)
- Java (4)
- Programming (10)
- Wordpress (7)
Popular Posts
- 40 Basic Linux Command-line Tips and Tricks
- Tips and Tricks for Facebook Chat (Save History/ Video Chat/ Send Files)
- 40 Linux Shell Commands for Beginners
- Creating a Simple GUI for Absolute Beginners (Java Tutorials)
- Online Coding Zones for Programmers
- Special: Facebook Smiley, Special Text Symbols and ASCII Arts
- The First on the World Wide Web
[...] 3) PHP Forms: Form Security [...]
[...] the original post here: PHP Form for Beginners: Form Security | fortystones Share and [...]
[...] from: PHP Form for Beginners: Form Security | fortystones Bookmark to: This entry was posted in Uncategorized and tagged database, from-the-database, [...]
PHP Form Security…
In this article I will try and teach you how to secure our form from various attacks like XSS, SQL injection etc….
[...] reading here: PHP Forms: Form Security | fortystones share: Blog this! Bookmark on Delicious Digg this post Recommend on Facebook Buzz it up share via [...]
[...] our previous stones, it is highly recommended you go through them first: Inserting, Retrieving and Security. The scripts that you saw in our previous stones were solely for introduction purposes only; we [...]
[...] PHP Forms: Form Security | fortystonesJun 18, 2011 … In my last two php posts, I showed you how to insert and retrieve values from the database. In the scripts done in those stones, we have not … [...]
epae [url=http://www.honmonobaggusaishin.com/]mcm[/url][url=http://www.mcmutsukushiibag.com/]mcm 財布[/url][url=http://chloechiipubag.harisen.jp/]クロエ バッグ[/url][url=http://chloebagnesage.shin-gen.jp/]クロエ アウトレット[/url][url=http://chloebaggukan.aikotoba.jp/]クロエ アウトレット[/url] efny
[url=http://www.honmonobaggusaishin.com/]mcm 財布[/url][url=http://www.mcmutsukushiibag.com/]mcm 店舗[/url][url=http://chloechiipubag.harisen.jp/]chloe 財布[/url][url=http://chloebagnesage.shin-gen.jp/]chloe 財布[/url][url=http://chloebaggukan.aikotoba.jp/]クロエ[/url] pmzi
[url=http://www.honmonobaggusaishin.com/]mcm 店舗[/url][url=http://www.mcmutsukushiibag.com/]mcm 財布[/url][url=http://chloechiipubag.harisen.jp/]chloe 財布[/url][url=http://chloebagnesage.shin-gen.jp/]chloe 財布[/url][url=http://chloebaggukan.aikotoba.jp/]クロエ アウトレット[/url] edmr
[url=http://www.honmonobaggusaishin.com/]mcm 店舗[/url][url=http://www.mcmutsukushiibag.com/]mcm[/url][url=http://chloechiipubag.harisen.jp/]クロエ[/url][url=http://chloebagnesage.shin-gen.jp/]chloe 財布[/url][url=http://chloebaggukan.aikotoba.jp/]chloe バッグ[/url] clcp
[url=http://www.honmonobaggusaishin.com/]mcm 店舗[/url][url=http://www.mcmutsukushiibag.com/]mcm 財布[/url][url=http://chloechiipubag.harisen.jp/]クロエ バッグ[/url][url=http://chloebagnesage.shin-gen.jp/]クロエ 財布[/url][url=http://chloebaggukan.aikotoba.jp/]クロエ 財布[/url] xoit
nlag
gyco
ribh [url=http://www.honmonobaggusaishin.com/][/url][url=http://www.mcmutsukushiibag.com/][/url][url=http://chloechiipubag.harisen.jp/][/url][url=http://chloebagnesage.shin-gen.jp/][/url][url=http://chloebaggukan.aikotoba.jp/][/url]
xtur [url=http://www.ryuukouraybanuresuji.com/]ray ban サングラス[/url] [url=http://www.daininkibagkakuyasu.com/]mcm[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban [/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban メガネ[/url] [url=http://www.annkaraybandaininki.com/]ray ban [/url] mnht
[url=http://www.ryuukouraybanuresuji.com/]ray ban メガネ[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban [/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban [/url] [url=http://www.annkaraybandaininki.com/]ray ban 眼鏡[/url] zwtz
[url=http://www.ryuukouraybanuresuji.com/]ray ban 眼鏡[/url] [url=http://www.daininkibagkakuyasu.com/]mcm[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban メガネ[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban サングラス[/url] [url=http://www.annkaraybandaininki.com/]ray ban メガネ[/url] ztnf
[url=http://www.ryuukouraybanuresuji.com/]ray ban 眼鏡[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban 眼鏡[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban メガネ[/url] [url=http://www.annkaraybandaininki.com/]ray ban サングラス[/url] aisd
[url=http://www.ryuukouraybanuresuji.com/]ray ban サングラス[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban 眼鏡[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban 眼鏡[/url] [url=http://www.annkaraybandaininki.com/]ray ban [/url] xmrs
cmzo
noor [url=http://www.ryuukouraybanuresuji.com/]レイバン サングラス 2013[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ 店舗[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban 格安[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban 新作[/url] [url=http://www.annkaraybandaininki.com/]ray ban 眼鏡 激安[/url] bpus
[url=http://www.ryuukouraybanuresuji.com/]レイバン サングラス アウトレット[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ 通販[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban 激安[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban 新作[/url] [url=http://www.annkaraybandaininki.com/]ray ban 眼鏡 激安[/url] ghpj
[url=http://www.ryuukouraybanuresuji.com/]レイバン サングラス 2013[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ 店舗[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban 通販[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban 新作[/url] [url=http://www.annkaraybandaininki.com/]ray ban 眼鏡 格安[/url] rkpo
[url=http://www.ryuukouraybanuresuji.com/]レイバン 2013[/url] [url=http://www.daininkibagkakuyasu.com/]mcm バッグ 通販[/url] [url=http://www.uresujiraybanhoshii.com/]ray ban 激安[/url] [url=http://www.jyouhinnraybansyoppu.com/]ray ban 眼鏡 アウトレット[/url] [url=http://www.annkaraybandaininki.com/]ray ban 眼鏡 新作[/url] yuzr
nnkd [url=http://www.ryuukouraybanuresuji.com/][/url] [url=http://www.daininkibagkakuyasu.com/][/url] [url=http://www.uresujiraybanhoshii.com/][/url] [url=http://www.jyouhinnraybansyoppu.com/][/url] [url=http://www.annkaraybandaininki.com/][/url]
mfms [url=http://www.uresujibaggukireii.net/]ferragamo 靴[/url][url=http://www.honmonobagmabushii.biz/]フェラガモ 財布[/url][url=http://www.teirenshoeskan.com/]mbt シューズ[/url][url=http://www.fasshonshoesmabushii.net/]ニューバランス[/url][url=http://www.tokukakubuutsumabushii.biz/]ニューバランス 996[/url] ogie
[url=http://www.uresujibaggukireii.net/]フェラガモ バッグ[/url][url=http://www.honmonobagmabushii.biz/]フェラガモ バッグ[/url][url=http://www.teirenshoeskan.com/]mbt 激安[/url][url=http://www.fasshonshoesmabushii.net/]ニューバランス 574[/url][url=http://www.tokukakubuutsumabushii.biz/]ニューバランス[/url] skau
[url=http://www.uresujibaggukireii.net/]ferragamo 靴[/url][url=http://www.honmonobagmabushii.biz/]フェラガモ[/url][url=http://www.teirenshoeskan.com/]mbt 激安[/url][url=http://www.fasshonshoesmabushii.net/]ニューバランス[/url][url=http://www.tokukakubuutsumabushii.biz/]ニューバランス 1300[/url] emzd
[url=http://www.uresujibaggukireii.net/]ferragamo 靴[/url][url=http://www.honmonobagmabushii.biz/]フェラガモ バッグ[/url][url=http://www.teirenshoeskan.com/]mbt 靴[/url][url=http://www.fasshonshoesmabushii.net/]ニューバランス 574[/url][url=http://www.tokukakubuutsumabushii.biz/]ニューバランス 574[/url] tiij
[url=http://www.uresujibaggukireii.net/]フェラガモ 財布[/url][url=http://www.honmonobagmabushii.biz/]フェラガモ バッグ[/url][url=http://www.teirenshoeskan.com/]mbt ウォーキング[/url][url=http://www.fasshonshoesmabushii.net/]ニューバランス[/url][url=http://www.tokukakubuutsumabushii.biz/]ニューバランス 574[/url] rlnh
ezly
klfn
inal [url=http://www.uresujibaggukireii.net/]iphoneケース
[/url][url=http://www.honmonobagmabushii.biz/]修理
[/url][url=http://www.teirenshoeskan.com/]ハンドバッグ
[/url][url=http://www.fasshonshoesmabushii.net/]セール
[/url][url=http://www.tokukakubuutsumabushii.biz/]待ち受け
[/url]
mmhp [url=http://www.demira.org/coachseru.html]コーチ バッグ[/url] [url=http://www.chamberware.com/guccisafu.html]グッチ[/url] [url=http://www.itosweb.com/louis-vuitton.html]ヴィトン[/url] [url=http://www.agrimed.net/rayban.html]レイバン サングラス[/url] [url=http://ralphlaurenannka.webnode.jp/]ラルフローレン 店舗[/url] bvvx
[url=http://www.demira.org/coachseru.html]コーチ バッグ[/url] [url=http://www.chamberware.com/guccisafu.html]グッチ[/url] [url=http://www.itosweb.com/louis-vuitton.html]ヴィトン[/url] [url=http://www.agrimed.net/rayban.html]レイバン サングラス[/url] [url=http://ralphlaurenannka.webnode.jp/]ラルフローレン 店舗[/url] mpty
[url=http://www.demira.org/coachseru.html]コーチ 財布[/url] [url=http://www.chamberware.com/guccisafu.html]グッチ 財布[/url] [url=http://www.itosweb.com/louis-vuitton.html]vuitton 財布[/url] [url=http://www.agrimed.net/rayban.html]レイバン サングラス[/url] [url=http://ralphlaurenannka.webnode.jp/]ラルフローレン[/url] gyyz
[url=http://www.demira.org/coachseru.html]コーチ[/url] [url=http://www.chamberware.com/guccisafu.html]グッチ バッグ[/url] [url=http://www.itosweb.com/louis-vuitton.html]ヴィトン[/url] [url=http://www.agrimed.net/rayban.html]レイバン メガネ[/url] [url=http://ralphlaurenannka.webnode.jp/]ラルフローレン[/url] ahwo
[url=http://www.demira.org/coachseru.html]コーチ 財布[/url] [url=http://www.chamberware.com/guccisafu.html]グッチ バッグ[/url] [url=http://www.itosweb.com/louis-vuitton.html]vuitton 財布[/url] [url=http://www.agrimed.net/rayban.html]レイバン 眼鏡[/url] [url=http://ralphlaurenannka.webnode.jp/]ラルフローレン 通販[/url] uudw
oijp
inqq
syis [url=http://www.demira.org/coachseru.html][/url] [url=http://www.chamberware.com/guccisafu.html][/url] [url=http://www.itosweb.com/louis-vuitton.html][/url] [url=http://www.agrimed.net/rayban.html][/url] [url=http://ralphlaurenannka.webnode.jp/][/url]
kbvz [url=http://www.baghanbaichuu.com/]tory burch 店舗[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch 靴[/url] [url=http://www.nesagebaggudaininki.com/]ポールスミス 財布[/url] [url=http://www.chiipubagkawaii.com/]ポールスミス 財布[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 靴[/url] znpa
[url=http://www.baghanbaichuu.com/]tory burch 靴[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch[/url] [url=http://www.nesagebaggudaininki.com/]paul smith 財布[/url] [url=http://www.chiipubagkawaii.com/]ポールスミス 財布[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 財布[/url] rald
[url=http://www.baghanbaichuu.com/]tory burch バッグ [/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch 財布[/url] [url=http://www.nesagebaggudaininki.com/]ポールスミス[/url] [url=http://www.chiipubagkawaii.com/]ポールスミス 財布[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 店舗[/url] bqcj
[url=http://www.baghanbaichuu.com/]tory burch[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch[/url] [url=http://www.nesagebaggudaininki.com/]ポールスミス[/url] [url=http://www.chiipubagkawaii.com/]ポールスミス[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 店舗[/url] kaet
[url=http://www.baghanbaichuu.com/]tory burch[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch 店舗[/url] [url=http://www.nesagebaggudaininki.com/]paul smith 財布[/url] [url=http://www.chiipubagkawaii.com/]paul smith 財布[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ バッグ [/url] vhss
vgaz
vcnp [url=http://www.baghanbaichuu.com/]tory burch バッグ 店舗[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch バッグ 通販[/url] [url=http://www.nesagebaggudaininki.com/]paul smith アウトレット[/url] [url=http://www.chiipubagkawaii.com/]paul smith バッグ レディース[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 靴 通販[/url] qmta
[url=http://www.baghanbaichuu.com/]tory burch バッグ 2013[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch バッグ 新作[/url] [url=http://www.nesagebaggudaininki.com/]paul smith バッグ アウトレット[/url] [url=http://www.chiipubagkawaii.com/]paul smith バッグ レディース[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 靴 新作[/url] kbtg
[url=http://www.baghanbaichuu.com/]tory burch バッグ トート[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch バッグ 通販[/url] [url=http://www.nesagebaggudaininki.com/]paul smith バッグ 2013[/url] [url=http://www.chiipubagkawaii.com/]paul smith バッグ メンズ[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 靴 通販[/url] tkmm
[url=http://www.baghanbaichuu.com/]tory burch バッグ 店舗[/url] [url=http://www.gekiyasubaggunosekai.com/]tory burch バッグ 通販[/url] [url=http://www.nesagebaggudaininki.com/]paul smith アウトレット[/url] [url=http://www.chiipubagkawaii.com/]paul smith バッグ レディース[/url] [url=http://www.choubibaggukireii.com/]トリーバーチ 靴 新作[/url] pjyi
etpp [url=http://www.baghanbaichuu.com/][/url] [url=http://www.gekiyasubaggunosekai.com/][/url] [url=http://www.nesagebaggudaininki.com/][/url] [url=http://www.chiipubagkawaii.com/][/url] [url=http://www.choubibaggukireii.com/][/url]
doxt [url=http://www.fasshonshoesyoppu.com/]エアマックス2013[/url] [url=http://www.saishinbuutsudaininki.net/]air max[/url] [url=http://www.ryuukoubuutsuheyokoso.org/]エアマックス[/url] [url=http://www.osharebuutsukakuyasu.net/]air max[/url] [url=http://www.tokukakubuutsunihonn.biz/]air max2013[/url] iabj
[url=http://www.fasshonshoesyoppu.com/]air max[/url] [url=http://www.saishinbuutsudaininki.net/]エアマックス2013[/url] [url=http://www.ryuukoubuutsuheyokoso.org/]air max[/url] [url=http://www.osharebuutsukakuyasu.net/]air max2013[/url] [url=http://www.tokukakubuutsunihonn.biz/]エアマックス2013[/url] ejac
[url=http://www.fasshonshoesyoppu.com/]エアマックス2013[/url] [url=http://www.saishinbuutsudaininki.net/]air max2013[/url] [url=http://www.ryuukoubuutsuheyokoso.org/]エアマックス[/url] [url=http://www.osharebuutsukakuyasu.net/]air max2013[/url] [url=http://www.tokukakubuutsunihonn.biz/]air max[/url] tgny
[url=http://www.fasshonshoesyoppu.com/]air max2013[/url] [url=http://www.saishinbuutsudaininki.net/]エアマックス2013[/url] [url=http://www.ryuukoubuutsuheyokoso.org/]air max2013[/url] [url=http://www.osharebuutsukakuyasu.net/]air max[/url] [url=http://www.tokukakubuutsunihonn.biz/]エアマックス2013[/url] adru
[url=http://www.fasshonshoesyoppu.com/]エアマックス2013[/url] [url=http://www.saishinbuutsudaininki.net/]air max2013[/url] [url=http://www.ryuukoubuutsuheyokoso.org/]エアマックス2013[/url] [url=http://www.osharebuutsukakuyasu.net/]エアマックス[/url] [url=http://www.tokukakubuutsunihonn.biz/]エアマックス[/url] xrlw
lubq
brsn
fxsy [url=http://www.fasshonshoesyoppu.com/]リュック
[/url] [url=http://www.saishinbuutsudaininki.net/]バッグ マディソン
[/url] [url=http://www.ryuukoubuutsuheyokoso.org/]セール
[/url] [url=http://www.osharebuutsukakuyasu.net/]ピンク
[/url] [url=http://www.tokukakubuutsunihonn.biz/]ジュエリー
[/url]
Have you ever thought about including a little bit more
than just your articles? I mean, what you say is valuable and everything.
But just imagine if you added some great visuals or video clips to give your
posts more, “pop”! Your content is excellent but with pics
and video clips, this site could certainly be one of the greatest in its field.
Amazing blog!
Why people still use to read news papers when in this technological globe the whole
thing is presented on net?
Greetings from Ohio! I’m bored at work so I decided to browse your website on my iphone during lunch break. I enjoy the information you provide here and can’t wait to take a look
when I get home. I’m surprised at how fast your blog loaded on my phone .. I’m not even using
WIFI, just 3G .. Anyways, fantastic blog!