Hi Does anyone know good site to learn some security for submiting form? I know how to do submit form script with php but I am not sure what to check when submiting form...for example text field should I check htmlspecialcharacters or trim blank spaces? something like this I wish to learn and what is the best to use for forms. thank you for any help
Its not necessary to use htmlspecialcharacters or trimming blank spaces. Not sure where your input's going to. But for string input, you can always use "isset" function to check if the input exists. Then use (string) for casting or use sprintf('%s', $input) to cast the input to string. For basic information, try this book: http://books.google.com/books?id=h-...&resnum=1&ved=0CDMQ6wEwAA#v=onepage&q&f=false Then scroll down to Chapter 7: Web Techniques. There's a topic on Form Validation. Pretty useful information. If you need more information, you can try this book: http://books.google.com/books?id=MU...wAA#v=onepage&q=php security, oreilly&f=false It has lots of security information.
It really depends on the purpose of the form, if it's taking input for an SQL database, you would need to check for SQL injection. A file upload would need to block potentially malicious file types such as .php, .cgi etc. A file manager would need to prevent access to non public directories.. the list really goes on. The best thing is to research hacking methods for your forms particular purpose, and try it on your own site, if you can crack it, patch it
I imagine you're worried about MySql inserting/updating forms. I always use two practices: 1) Block SQL injections with $newvariable = mysql_escape_string($oldvariable); and 2) Block HTML tags/javascript/etc if ill be echoing/displaying their result anywhere (so they dont do nifty popups/font sized/embed images etc) I use my own STR_REPLACE function to replace for examples ever "<" with "<." and every % with "%." if that makes sense