PHP Forms security

What are some tips you know about adding security to processing forms such as registration forms, generators, login forms, contact forms, etc? This is because I am thinking that a basic PHP form can be too unsecured from exploits such as spam submitting, spam registration, etc..

 

Never trust your users, Validate everything, Initialize your variables, Check user privileges on every page if you're using access control, Understand XSS, Understand SQL Injection, Do not display PHP errors to users, Turn off register_globals (defaulted to off in php 4.2.0+), CAPTCHA for spam.

 

I looked up XSS and SQL Injection and found some loopholes in my SQL forms and codings. But it is possible to do an SQL Injection through my forms.

Here's my filtering function

<?

//login $_POST['username']
//password $_POST['password']

//I passed $_POST through smart_quotes first before sending to SQL query.

//$_POST=mcheck($_POST)

//after mcheck(), do the SQL queries...


function mcheck($value) {
	if(is_array($value)) {
		if(get_magic_quotes_gpc()) {
			$value=array_map("stripslashes",$value);
			}
		if(!array_map("is_numeric",$value)) {
			$value=array_map("mysql_real_escape_string",$value);
			}
		}
	else {
		if(get_magic_quotes_gpc()) {
			$value=stripslashes($value);
			}
		if(!is_numeric($value)) {
			$value="'" . mysql_real_escape_string($value) . "'";
			}
		}
	return $value;
	}
?>

PHP:

I don't know if I am doing it right, can you explain what I have wrong?

 

Here's my SQL query

$sql="SELECT * FROM members WHERE `username`='$username' AND `password`='$password";

PHP:

 

anytime you use a variable to update a piece of a mysql_query, USE mysql_real_escape_string ON EVERY VARIABLE that the user has an opportunity to manipulate!

IE
mysql_query("SELECT * FROM books WHERE book_title = '".mysql_real_escape_string($_POST['book_title'])."'");

 

Oh, also, never output and input variable to the output (like as an error). This opens it up for XSS

 

The variable is passed through my function shown above which calls the mysql_real_escape_string() but I can still do an SQL injection.

 

This libary gathers together various open source pieces into an app which can be included into the top level of a PHP app and which then tries to purify all input variables.

I have not thoroughly tested it against MySql injection and would be interested to know if it also solves that problem. The link is http://www.stat-communications.com/security/

 

How is injection still available through that. I can understand XSS Flaw, definately, but Injection?!?!?!?

 

With the mysql_real_escape_string() passed, I entered something like

<script>alert("hello")</script>

Code (markup):

as a username which shows up a javascript error on the window and popups the alert box.

 

mysql_real_escape_string() is enough for queries but before you print that, use "htmlspecialchars();" or "htmlentities();".

For example:

echo htmlspecialchars($username);

 

Some general security tips:

create two functions for untrusted data:

one that puts it through mysql_real_escape_string() before using it in database queries
one that puts it through htmlentities() before outputting it

Always use them whenever you deal with untrusted information.

Also, never code with register_globals on. If your server must have register_globals on, always have unique names for session variables (such as SESS_varname) and always declare a variable before using it (ex: $output = ''; $output .= 'hello!'; )

 

register_globals is something like www.website.com/login.php?username=something&password=something, etc..etc..?

 

No, you can use $_GET['varname']; and $_POST['varname']; to access variables sent to your script with register globals off.

More reading:

http://ca.php.net/manual/en/reserved.variables.php#reserved.variables.get

http://ca.php.net/register_globals

 

Best to probably use strip_tags() as well as mysql_escape_string() if you do not wish them to enter Javascript or HTML characters.

 

Collect the IP addresses of submissions using:

$ip = $_SERVER['REMOTE_ADDR'];

Code (markup):

 

if you have root access to your server, a good thing to do is install mod_security . It helps tons with spam via forms

 

hmmmmmmmmm, that really helping stuff bcoz i m learning PHP & this will help me alot.

 

Give me a PM when you have secured your box, I can get my team to scan it free of charge. ( just for a curiosity point for the members of the forums ) as we can test before and after effects of mod_security with default security rules.

 

download a php validation class from phpclasses.org