Hi I have a very basic html form: <form action="url/script.php" method="post"> Inptu: <select name="name"> <option value="324">324</option> . . . Code (markup): Now script.php takes the information $name = $_POST['name']; Code (markup): The problem I see is, that anyone can put this form on their site, change the value and then submit it. Then he would have script.php with a variable that he defined (which could be anything!). I am very bad and new in php so I was just wondering if this is a security risk? Can this somehow be exploited? Thank you very much in advance!
Yes it can be exploited (in this case) only if you are using these values from the form to use in a database query. And yes also, if you want to display this data on the page later on.
In this case I protect form by using token. I will add a token textbox to form: <input type="text" name="token" /> Code (markup): In script.php, I will add checking statement in beginning of script: if ($_POST['token'] != 'my token string') die(); Code (markup):
Can you explain this in more details for me please? What exactly does this do? Where is the value in that token? Thanks alot in advance!
If you want to show the data from the forms in your page, then use htmlspecialchars function before displaying the data. Like this: $name = htmlspecialchars($_POST['name']); And if you are going to use the data in an sql query then use mysql_escape_string: $name = mysql_escape_string($_POST['name']); Hope it helps.
I use variable in an sql query. What does mysql_escape_string does? I looked on the site on the link and didn't understand a thing. Can you please explain it in simple terms? I would appriciate it a lot! ALso function is deprecated, so I guess I should use something else? Is there a way to set a variable in a form that is sent upon submit but not see to the visitor (not even in source code in browser). Or any other solution to protect this form... Thank you in advance!
Oh sorry, actually mysql_real_escape_string is the recommended function to use now. It makes your PHP script safe from what is known as SQL Injection attacks. Read about it here. These functions will be enough (in almost all cases) to avoid any problems due to usage of data from the forms.
Security token is a random string that you make by using this script: <?php print(uniqid()); ?> Code (markup): We force user enter security token in order to submit form. In script, we check entered script against defined one.Â
Thank you both! So if I understand correctly, instead of using: $name = $_POST['name']; Code (markup): I should use: $name = mysql_real_escape_string($_POST['name']); Code (markup): Is this correct or am I getting something wrong? Does this put any big extra load on the server? Or should I simply do this for all my $_GET, $_POST, and $_COOKIE functions? I appreciate your help a lot! Thank you.
I have replaced POST with GET. Does this change anything from security point of view? I am now using: $name = mysql_real_escape_string($_GET['name']); Code (markup): Is this correct usage? Thank you in advance!
The main difference between GET and POST is that the values passed using GET can be modified from the address bar as well i.e the data is passed as part of the URL. Example: www.example.com/test.php?id=32&name=Hassan (where id and name are the field names). However in case of POST, the URL remains unchanged. For more information, this article might be very helpful. That said, yes your usage is correct. GET and POST are used for different purposes. And no don't worry, it doesn't put any extra load on the server. It's just a function One thing more, don't just apply this function to all the data, only to those which you will need to use in a database query later on.
Thank you! What about those that are not used in a db query? Can maybe a hacked inject whole sql query function through form?
don't forget to look at request forgery. if you do not properly validate an action, atackers could do something like that: <img src="http://mysite.com/delete_post/4" style="display:none"> and this forces the user to delete his own post without even knowing it. and because the user himself is being forced to do that, login validation is just not enough. just migrating to post is not enough either. to solve this, one alternative is to send a token with the form (through a hidden input for example) that will be validated from the inside. so the atack will fail since the atacker doen't know the token. and even if he discovers, he would affect just one user and the token can be changed after some time or after each login.