User input check for unwanted code

Grasmachien

Hi,

I'm new here so dont shoot me down if i posted this in the wrong sub-forum😃

I've recently made a website where it is possible for users to comment on the newsposts.
Now the obvious problem is that everyone could write some html code in the input fields, or more importantly, sql code to delete tables or worse.

The almighty internet gave me some ideas to prevent all these bad things from happening but i never got it to work. 🙁
So thats why i came here and ask for help.

This is my PHP file to handle to actions.

           if(isset($_POST["btnComment"])){

        if(!isset($_POST["naam"]) || $_POST["naam"] == ""){

           $arrErrors[] = "Gelieve een naam in te vullen";

        }

        if(!isset($_POST["bericht"]) || $_POST["bericht"] == ""){

            $arrErrors[] = "Gelieve een bericht in te vullen";
        }

        if(!isset($_POST["bericht_id"]) || $_POST["bericht_id"] == ""){

            $arrErrors[] = "Gelieve een berichtId in te vullen";

        }

        if(!isset($_POST["avatar"]) || $_POST["avatar"] == ""){

            $arrErrors[] = "Gelieve een avatar in te vullen";

        }

        if(count($arrErrors) == 0){

            try{


                $CommentDAO=new CommentDAO();
                $CommentDAO->addComment($_POST);


            }catch(PDOException $e){

                echo $e->getMessage();

            }

        }

}

This is the commentDAO where i do the sql statements.

public function addComment($data){

        $sql = "INSERT INTO tblcomments(naam, bericht, bericht_id, datum, avatar)
                VALUES(:naam, :bericht, :bericht_id, (now()), :avatar)";
        $stmt = $this->dbh->prepare($sql);
        $stmt->bindValue(":naam", $data["naam"]);
        $stmt->bindValue(":bericht_id", $data["bericht_id"]);
        $stmt->bindValue(":bericht", $data["bericht"]);
        $stmt->bindValue(":avatar", $data["avatar"]);


        $result = $stmt->execute();
        return $result;
    }

Where could i use the mysql_real_escape_string or use a whitelist ?

Thx in advance!

Grasmachien

NogDog

You do not want/need to use mysql_real_escape_string since you are using bound parameters in your database query.

Any white-list filtering and/or validation would come before your call to $CommentDAO->addComment($_POST);.

Weedpacket

NogDog wrote:
Any white-list filtering and/or validation would come before your call to $CommentDAO->addComment($_POST);.

And after (probably immediately after, since you'd probably want to add a message to the errors array that you later count) your checks to see if the user has filled in those fields. (Incidentally, for both that and the earlier checks, you might find using [man]empty[/man] to be a more concise than [man]isset[/man] and [man]count[/man]).

Validating the name will mean checking [font=monospace]$POST['naam'][/font] again. Which still might not be set. That would cause trouble when you try to do any more validation. There are two ways of dealing with the situation:
1)

if(isset($_POST['naam']) && $_POST['naam'] != "")
{
    // validate the name
}

which means either doing the same test twice, or doing the test once and storing the result in a variable, or doing name validation at the same time that you check that it's not empty (before going on to check the message) - putting the extra validation tests into else branches ("if($_POST['naam'] is empty, complain about that, else check it against the whitelst").

2)
Start by setting unset POST variables to have empty values.

if(!isset($_POST['naam']))
{
    $_POST['naam'] = "";
}

Then the test to see if the variable is empty can just be [font=monospace]if($_POST['naam'] == "")[/font] and other validation tests can be made without worrying about whether the variable is set.

Since there are a bunch of variables that need to be non-empty, the above snipped would need to be repeated. If you're repeating stuff then that's a hint that you're doing something wrong (repeating stuff should be the computer's job). The fact is that you can set default (empty, and therefore invalid) values for name, message and the rest in one line:

$_POST += array('naam' => '', 'bericht' => '' ....);

(See the array + operator.) Do that before you start any of your validation and you won't have to worry later if the variables you're validating are set or not (and the repetition that still exists in that line can be eliminated by using the [man]array_fill_keys[/man] function).