Advanced PHP form input and general security

madhead29

Hi All I have a few php security questions. I have read of few security books that seem abit outdated and different books give different solutions. So I have a few questions:

If a user is entering there name into a form is it best to use the ctype_alpha funtion to check that they have entered just letters for there name? Or should I use preg_match to check this so I could also allow ' and - as some people may use those in there name.
Also for something like a phone number is it best to use the preg_match function to check that the user has entered the correct information e.g. only numbers, hyphens, parentheses, spaces?
GET_$['id'] is it best to use ctype_digit to check for numbers as it would be a number id?
Is the best way to check an email format using the preg_match?
Whats the best way to stop XSS (Cross Site Scripting)?
Are there any other php security hacks/problems that I should be aware of?
What tools are the out there to check for these types of attacks?
How to prevent CSRF (Cross-site request forgery) attacts?

Sorry for the way I have asked the questions but want to make them clear so anyone reading can understand which part someone is talking about. I hope new users of php will read this so they can secure there scripts. Thanks in advance.

NogDog

A lot of variables here, especially from an internationalization viewpoint where you may want to allow more than just ASCII alpha characters (plus "-" and "'"). Therefore the answer may vary from app to app depending on the specific use cases for any given app. This is therefore generally a case where I go with a "black list" of things I'm sure I don't want, and then assume that users know how to spell their names.
Non-alpha-numeric characters in a phone number are generally only for human readability. You could conceivably just strip them out with preg_replace(), then make sure you have the requisite number of characters, which again can vary depending on nationality. You can add some initial control by providing separate, numeric-only fields for area code, exchange, number and (optional) extension; then possibly concatenating them (keeping extension separate) before saving to the DB. (The preceding assumes US phone number, so again your use case may be different if you need to support international numbers.)
I usually just cast it to an integer via b[/b].
The "best" way is to use it in a validation email. 🙂 For checking the pattern, I use the pattern discussed in this article.

5-8. My reference is Essential PHP Security.

halojoy

About my name checking at Register.
I use preg_match because I can specify chars as well as min/max length.

In the script below I am rather strict.
The username must begin with one alpha char [a-z]
As I use the 'i' (case insensitive) flag at the end [A-Z] is also allowed, without I need to add it.
[a-z] ..... 1 alpha
[a-z0-9\s_] .... a number chars, alphanum and space, underscore
[a-z0-9] ...... last char is alphanum .. not space/underscore

$patt2 is to avoid double spaces or double underscores
$mn = minimum length
$mx = maximum length

$mn = 4; $mx = 20;
$patt1 = '#^[a-z][a-z0-9\s_]{'.($mn-2).','.($mx-2).'}[a-z0-9]$#i';
$patt2 = '#\s\s|__|\s_|_\s#';

Here is my full script. You can run it directly as a DEMO Test

<?php

$name = isset($_POST['name'])? $_POST['name']:'';
$mn = 4; $mx = 20;
$patt1 = '#^[a-z][a-z0-9\s_]{'.($mn-2).','.($mx-2).'}[a-z0-9]$#i';
$patt2 = '#\s\s|__|\s_|_\s#';
if(preg_match($patt1,$name) && !preg_match($patt2,$name))
	 $msg = 'okay';
else $msg = 'no';
?>
<form method="post" style="margin-top:300;text-align:center;">
<input type="text" name="name" value="<?php echo $name ?>"><br />
<input type="submit"><br /><?php echo $msg ?></form>

About numeric in $_GET.
You are right, [man]ctype_digit[/man] is very good for this.
Also of course [man]preg_match[/man] can be used.

NogDog

If one of the ctype_*() functions can get the job done, it's generally going to be more efficient than preg_match(). Not a big deal in general, but if it's functionally the same, you might as well go with the faster one.

madhead29

@ - Thanks for the reply. What function would I use to setup a black list? Also how would I allow more than ASCII using preg_match?

@ - Thanks for the reply. What preg_match code would I use to allow a-z-A-Z, spaces and -,' but also allow characters like é for international names?

Also is there any good documentation on preg_match?, as on php.net it doesnt say what rules you can use.

madhead29

Can anyone help me with this?

anakadote

You could also check out the PHP filter functions introduced in PHP 5.2. There are a lot of constants you use, but it's powerful and only a few functions, and you avoid regex.

madhead29

Hi anakadote thanks for the reply I think im going to use preg_match seems the only way to do it I know its a pain in the arse but there isnt really any other option. Was going to use the ctype functions but there not flexible enough so preg_match seems the best way.