[RESOLVED] Validation/Security checkng before sending form

burnside

Hi, I have a processing php page that will send the inputs from a form to another server. I already do some validation on the variables using regular expressions, but what else should I do to further bulletproof the submission of the data? Any ideas?

Thanks
b

sneakyimp

That's a pretty general question. I doubt you'll get a meaningful answer, but I'll try.

Keep in mind that all form inputs arrive in PHP as strings -- except when somebody uploads a file using your form. That you are using regular expressions to check them sounds like a good idea -- especially if you are checking each and every single one, including 1's versus zeros for checkboxes/radio buttons, etc.

Other things you should consider are what is done with the data once you are sure it matches what you want. Do you insert it into a database? If so, use prepared statements or [man]mysql_real_escape_string[/man] or some similar escape function to properly escape quote characters and stuff.

If you're writing it to a file, make sure the filename doesn't come from user input -- or if it does, make sure it's not some sensitive file like /etc/passwd or something.

Also, is it too long? Be careful of buffer overflows -- this happens when hackers send excessively long input to your functions which cause a buffer to be overwritten so they can illegally write memory they shouldn't be writing. You might want to check the length of user input to avoid this kind of thing.

It all depends on what you do with it. There's a million things to watch for.

burnside

Thanks for the guidance sneakypimp. How about if I take those inputs and send them via email? Do you think the function below is good enough? I would have run my regular expressions on each input before sending them to this function:

function emailCleaner($input) { 
	$headers = array("/to\:/i","/from\:/i","/bcc\:/i",
				 "/cc\:/i","/Content\-Transfer\-Encoding\:/i",
				 "/Content\-Type\:/i","/Mime\-Version\:/i");

$input = preg_replace($headers, '', $input);
return clean_data($input, "text email");
}

sneakyimp

You are showing me just one tiny bit of your code. I don't particularly want to read all of it as it's already looking pretty involved. It looks like you are trying to remove varies headers from a particular input to prevent someone injecting headers through a user-submitted email address.

Rather than removing those headers, I would try to get a regex that determines if the email address submitted matches a simple email address rather than trying to remove headers. Google around and you can probably find a good one.

Again, it all depends on what you are doing with it. You need to be more specific in your questions.

burnside

Sorry man, I'm just trying to do the following steps which I'll clarify:

Send the data from a form to another server for processing. I'm doing some validation before the data is sent to the server via fsockopen.
Validate that the received data that was sent is correct (like a phone number is a 10 digit number and a person's name only contains certain characters). I'm accomplishing this with preg_match. I don't think it is overkill to validate data on the original website and then again on the server which will do the processing. What do you think?
Take the data and store it in the database. In this step I will for sure use mysql_real_escape_string and prepared statements (by the way, do I need to do both or is it overkill). Also in this step, should I do any addslashes before storing it in the db? For example, a string that says [He's going to "Best Buy" after work.] I'd want to retain the single and double quotes.
Take the data and send it in an email. Here I want to make sure that the data does not "break" the email to be sent. That's where the headers function you saw come in. At the same time, I'd like single and double quotes to be read in the email.

I think that's it. I just want to be as secure as possible (or to my limits) because this code will be used by many clients. The more bulletproof it is now, the better. Any help on how to accomplish this would be AWESOME.

Thanks,
b

laserlight

burnside wrote:
1. Send the data from a form to another server for processing. I'm doing some validation before the data is sent to the server via fsockopen.

Validate that the received data that was sent is correct (like a phone number is a 10 digit number and a person's name only contains certain characters). I'm accomplishing this with preg_match. I don't think it is overkill to validate data on the original website and then again on the server which will do the processing. What do you think?

Unless you can guarantee that the source will always perform the check correctly (i.e., no one can tamper with the script) and transmit the data cryptographically signed or over a secure network, doing the check again on the destination server is pretty much a must.

burnside wrote:
3. Take the data and store it in the database. In this step I will for sure use mysql_real_escape_string and prepared statements (by the way, do I need to do both or is it overkill). Also in this step, should I do any addslashes before storing it in the db? For example, a string that says [He's going to "Best Buy" after work.] I'd want to retain the single and double quotes.

If you use prepared statements then you should not be using a separate escaping function because you will then store the data in its escaped form instead of storing it in its original form (which is one of the reasons for apply an escaping function). You should not be using addslashes() at all.

burnside wrote:
4. Take the data and send it in an email. Here I want to make sure that the data does not "break" the email to be sent. That's where the headers function you saw come in. At the same time, I'd like single and double quotes to be read in the email.

If you are sending email as (X)HTML then you should use [man]htmlspecialchars/man or [man]htmlentities/man, and [man]urlencode/man in the case of URLs. But if you are sending it as plain text then there should be nothing to escape.

burnside

Awesome laserlight. So for storing data in a db using prepared statements, nothing needs to be done like escaping or addslashes? Could you tell me why? I totally believe you, but I guess I don't get the concept.

laserlight

burnside wrote:
So for storing data in a db using prepared statements, nothing needs to be done like escaping or addslashes? Could you tell me why? I totally believe you, but I guess I don't get the concept.

When you concatenate a value with an SQL statement, the data and the SQL statement are together, thus you need to escape special characters in the data that would otherwise alter the meaning of the SQL statement, or render it syntactically incorrect. With prepared statements, the SQL statement is first prepared, then the data is bound to the parameters, so the data and the SQL statement are separate and there is no danger of the data being interpreted as part of the SQL statement. Since parameter types are typically given when preparing the statement, even the types of the parameter are known and do not have to be inferred from the syntax.

burnside

Thanks for all the pointers laserlight. I get the prepared statements now. I'm glad I'm using them.

Here's my next question. I tested my form by sending an input that I typed as:

This isn't "rocket" science.

When I sent this variable in a plain text email, I got this:

This isn\\'t a \\"rocket\\" science.

So I must do something with the variable before sending it out, correct? Maybe stripslashes?

laserlight

The implication is that you have say, magic_quotes_gpc turned on (turn it off), and then you used mysql_real_escape_string() or something on a variable, and then you used that variable to create the contents of your email.

burnside

You beat me to it. I just found out that magic_quotes_gpc is on. I have hostmonster as my web host. I'll see if I can turn it off in the php.ini file.

I used urlencode on the variable before sending it via my fsockopen process. Hey, thanks for all the help today. If you get sick of me, just let me know!

Next question. I'm using fsockopen to send the data from my client websites to my hostmonster web server. What do you know about the limitations of using fsockopen. Can I run into issues of having too many sockets open using this function? Any way to check if I have too many sockets open?

Thanks bunches!

laserlight

burnside wrote:
You beat me to it. I just found out that magic_quotes_gpc is on. I have hostmonster as my web host. I'll see if I can turn it off in the php.ini file.

If you are unable to turn it off then use stripslashes() if get_magic_quotes_gpc() returns 1.

burnside

Yeah, I just added that to my script and it's working perfectly. It looks like hostmonster wants me to add a php.ini file to every subdirectory that will use form submissions. Whatever.

laserlight

If you have no more questions specific to "Validation/Security checkng before sending form", then you might want to mark this thread as resolved using the thread tools and start a new thread asking about the limitations of fsockopen().

burnside

Thanks, resolved and I'll open a new thread!