(very) Basic Form Security 1

[owatagal]

Disclaimer: This is a very, very, very basic data check. You should not rely on it and assume data that passes this test is 'safe'. You should use it in combination with other data checks. If you already have other data checks in place, you'll need to test and make sure it doesn't clash with or override them--that would be bad! The good news is you should be able to drop this into your existing form easily, without having to modify your entire results script.

 

 

Ok, so you have a form. Maybe you're getting people to send you email addresses for a newsletter:

 

><form name="myform" method="POST" action="path/to/my/results.php">

Enter your email: <input type="text" name="email" />
<input type="submit" value="Sign up for the newsletter!">

</form>

 

Your form can look like whatever you want; what I’m going to show you can easily be incorporated into a form you already have, because you're just going to add it at the top of your results page.

 

On your results page, you have to call up the variables that were submitted in the form. You probably do this one of two ways.

 

You may be relying on register_globals being ON (which it is by default) and so you just refer to the variable by name when you need to use it:

 

$email

 

The problem with this is that you don't know if the variable was submitted through POST, GET, or anything else. Yikes! If you don't know where the information is coming from, it's going to be even harder to verify that it's legitimate data! Fortunately, we can solve that problem without even turning register_globals off (personally I think you should turn it off anyway, but some people rely on it for other codes).

 

Or maybe you already have register_globals turned off, or maybe your code is written as if it is off. In that case, you call your variable like this:

 

$email = $_POST['email'];

 

And throughout the rest of the script, you do whatever it is you need to do with the form information--mail it to yourself, echo it out for the visitor, whatever.

 

The first thing we're going to do is pop a function at the top of your results page (after the opening PHP tag, of course). This function will allow you to cut a variable down to whatever size you specify. Just paste the following at the top of your PHP code (you don't need to modify anything):

 

>function set_text_limit($variable, $limit) {
if (strlen($variable) > $limit) { 
  	 $variable = substr($variable, 0, $limit); 
	 }
 return $variable;
}

 

This function will check the size of a variable and if it is larger than the limit you define, it chops the data off at your specified limit. Like I said, it doesn't verify what is or isn't in the variable; it just ensures the variable is a certain size. How does this help? Well, if someone is sending you an email address, there's no reason to let them send you 1000 characters of data. And you can't rely on your form itself to limit the length of data, because it’s very easy to spoof form data and send you information that never went through the form at all--or went through a modified version of your form that had those checks removed. Best to check on the server side!

 

Ok. Now you're going to define your variable. For each of your variables you write a line like this. You need to add this line in after the function script you just put in:

 

>$email = (isset($_POST['email'])) ? set_text_limit($_POST['email'], 75) : '';

 

This should replace any lines like this:

 

$email = $_POST['email'];

 

(If you never defined your variable, but just called on $email, all you need to do is add the new line after the function script).

 

Where it says set_text_limit($_POST_'email'], 75), you should change "75" to the number of characters you would like to allow. Each variable field can have a different limit. For a name field, 40 or 50 is probably more than adequate. For an email field, 50 is probably fine. For a URL field, you might want to allow 75. Even for textarea fields you should set a limit--and remember, the limit is on the number of characters, NOT the number of words.

 

What this code does: First it checks that the POST field is set; if it is, it limits the post field to the number of characters you specified and assigns that value to the variable. If POST is not set, the variable is given a null value. This means that if someone tries to send you a value for the 'email' field through the GET parameters, it won't work--the null value in this line of text should override anything they send as GET. The only way to set $email with data is to send that information through the POST method. (Obviously, if they spoof the POST method, this won't help. This is why you need to verify your data in other ways as well!). And since you can set the variable name to whatever you want, you can use the same variable names you're already using.

 

The only major modification you might need to make is if you consistently use $_POST['email'] or $_GET['email'] throughout your results page--you'll want to replace all of those with the variable you create in this line ($email in the example). And although I've used $email as the example, obviously this should work with any field names/variables your form actually uses. Just make the relevant adjustments.

 

Again, don't rely on this as your only data check! But I hope, if you're just starting to learn how to secure your form and verify all the data, it might be helpful.

[TCH-Don]

Thanks -O

and for always being helpful