Form input validation

Anon

Hey, I want to hear input as to how you all check your form inputs before passing them along to the rest of the script. As I use them, there are about three different types of filters I may have to apply to the inputs. If I am passing the input to SQL, check for special tSQL characters, likewise if I am running an 'exec' off them, and the third being checking for special HTML characters that I imagine my PHP script would convert and then pass along.

I always check for ;'s and if I am running an exec I check for '&&' and '||' as well. Of course I check string length as well.

For SQL statements, usually just making sure that my sql is written correctly seems to do the trick (enclosing all variables with ' ') and html is smart enough to add in the preceeding \'s so special characters are just treated as text.

So, how do you validate your form code, am I missing any characters? What are the, if any, HTML codes for ; && || (like %20 = space)???

cheald

I typically just do a strip_tags() on incoming data - so far, nothing I'm using is being executed. Just data that's formatted and spit back out to the screen. Haven't had problems yet!

Anon

That's all fine and dandy... until...
I am talking about all this for security purposes. For example, just this morning I was examing the login page for one of my main login sites. The login runs an 'exec' and passes the username and password to a perl script that authorizes against the linux computers passwd file. I noticed that this login page was not checking user input!! Serious No-no. So, just for kicks, I wanted to see how dangerous this thing was. I tried putting in a username and password (didn't even have to be a valid one) and tacked a " ; mail toddm < /etc/passwd" onto the end of it. Sure enough, the ; started a new command and mailed me my machine's passwd file!! Extremely dangerous. && as well as || have very similar function in a unix command shell too. So, I added a filter for that, and am curious how everybody else out in php land deals with these issues, and not just for command line arguements, but databases as well.
Keep those posts coming! I am curious how everbody does this.

Anon

Well I just write a function that checks the database for the exact username password pair. If it is not in the database nothing happens except a message that is printed. If the getrow function doesn't find an exact database match no other code can work. The script ends and the message is printed.

Is this not good enough?