PHP Forms Security

**Anthony2oo5** · Dec 20 '07, 02:59 PM

Im no expert so you might want to hold out for an expert to reply but I have been doing this for a while.

When I first started I used safeHTML, which seemed to do a good job, was quick at what it done.

I'm writing a script now and im trying to stay away from it simply for the fact that I want to learn myself.

Id suggest writing a function of some sort that would get what the user is submitting, and use regex to look for things that you don't want in your database.

The only real way to know how to secure your website, is knowing how to hack it. Maybe look on Google for some php injection tutorials and see how they work and what they look for, that way you can close the gaps.

I would be interested to see how you get on so keep us updated.

My opinion though, you don't want to be inserting what the user types directly into your database.

**nathj** · Dec 20 '07, 03:00 PM

Originally posted by olddocks

what is the best way to secure forms in php?

I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?

Any advice or suggestions related to securing forms is much appreciated :)

Hi,

I'd start by switching from GET to POST as the form method. Then the only sure fire way to secure the data as it's passed to the server is SSL. At least that's what I use and it works a treat.

Cheers
nathj

**olddocks** · Dec 20 '07, 08:01 PM

thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.

looks like i need to write a function though :) hmmm...

i guess it should be something like filtering user data. can anybody post code for this?

**Markus** · Dec 21 '07, 07:22 AM

MySQL Tutorial - SQL Injection

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

The code wont write itself ;)

good day.

**helraizer1** · Dec 21 '07, 02:21 PM

The $_GET method is open to XSS (cross site scripting) and SQL injection, also is easily broken because anyone can change the URL.

So if you have to have a string for your variable. if someone types the url as

www.mysite.com/index.php?q=hel lo - that will work because it is searching for a string

but, if they do

www.mysite.com/index.php?q[] - it will return an error because the GET is expecting a string however it is getting an array thus /breaks/.

So for that, using 'q' as the GET

[code=php]
<?php
if (isset($_GET['q']) && is_array($_GET['q'])) {
//error message
}
else {
//code to query database.
}
?>
[/code]

Sam

**ak1dnar** · Dec 22 '07, 07:13 AM

Mistakenly I removed this post from the thread while removing another spam contents. Sorry about this.

Original poster : nathj
=============== =============== =============== =

Originally posted by olddocks

thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.

looks like i need to write a function though :) hmmm...

i guess it should be something like filtering user data. can anybody post code for this?

Hi,
If I've understood this correctly you have a login form that takes user sensitive data such as a user name and password and you are submitting this via the GET method? If that is correct you really need to change it. Having such information in the URL query string is a bad idea.

If I've mis-understood, then my apologies.

For such things I use a form that submits data to the the server, via a secure connection and this then calls a function on an object to log the user in and set up the session variables and the user object. This object directly controls the user expereince of my site.

Perhaps some research around these ideas would be time well spent.

Cheers
nathj _______________ ___
Keep on trying and keep on learning

PHP Forms Security

PHP Forms Security

Comment

Comment

Comment

Comment

Comment

Comment