php form security

pyro13

if posting a simple php form to itself for 'POST' processing, would you advise, or think it standard practice to be using the below methods?

could anyone advise on neccessary security actions, or best practices for securing simple php forms?

// First, make sure the form was posted from a browser. 
// For basic web-forms, we don't care about anything 
// other than requests from a browser:     

if(!isset($_SERVER['HTTP_USER_AGENT'])){ 
   die("Forbidden - You are not authorized to view this page"); 
   exit; 
} 

// Attempt to defend against header injections: 
$badStrings = array("Content-Type:", 
                     "MIME-Version:", 
                     "Content-Transfer-Encoding:", 
                     "bcc:", 
                     "cc:"); 

// Loop through each POST'ed value and test if it contains 
// one of the $badStrings: 
foreach($_POST as $k => $v){ 
   foreach($badStrings as $v2){ 
       if(strpos($v, $v2) !== false){ 
           logBadRequest(); 
           header("HTTP/1.0 403 Forbidden"); 
               exit; 
       } 
   }

appreciate any help🙂

justsomeone

It's hard to say without knowing what the form will attempt to do...

Put simply, you should check every expected field on the input form to ensure that the field conforms to to the type of input you expect. For example, there are commonly available regex strings used to validate that a submitted email address, looks like a valid email address, and doesn't contain a list of email addresses etc.

If you have a list of values for a particular field, you can check the submitted value against that list. If you have a more unpredictable input field, you should have a list of characters/substrings which you don't want to be processed - this might include quote marks, slashes, semicolons, etc

You might also want to check for the length of input fields to ensure that someone's not trying to break your system with huge inputs.

It's all quite dependant on what you are trying to do.