I’m just finishing my first website involving user input into my database and I’m nervous about security since it seems that there are so many things that one could do to attack a site. I don’t want to put my head in the sand, but I don’t want to be neurotic about it either. Basically, what I have at the moment is restricted page access to two type of users, those who I know ( a group of educators), and those I don’t (students), using the Zend Framework restrict access. The educators will be uploading content using a WYSIWIG, while the students will be uploading solutions to quizzes, no WYSIWIG, but text. For form validation, I’ll be using client side validation via javascript.
The question that I have then is, what’s the cleanest, simplest way to “sanitize” user input via PHP or Zend Framework (the documentation had me spinning!), knowing that my users will be using a WYSIWIG editor.
Thanks so much…I know that this is a very broad and deep topic.
html special chars: it’s a php built-in function. That’s my suggestion.
There was another one as well. I can’t remember without looking it up.
Essentially this function turns anything that looks code-y into harmless stuff. It’s still possible for someone to predict that and I think escape characters they type in (double escape cancels itself out). I think perhaps the other function is to do with mySQL.
I may look this up in a bit. Sorry ages since I did this and I have had very little sleep. But I am trying to be helpful as nobody has answered your question at all … !
LATER:
OK I had a very quick look. And this is an exerpt from a script I cobbled together in a hurry a long time after I did most of the coding on the site in question - so much less thought went into it than the main stuff. It’s deep inside a secure area of the site.
trim() gets rid of any whitespace, obviously
stripslashes() - stop them trying the double-escape trick. But they CAN STILL fool this by adding MORE slashies I think. Anyway, you still need
mysql_real_escape_string() which is supposed to render things harmless for insertion into a mysql database.
I think there may have been an issue with html special chars and a mysql database. Just to f*** you up! I have a feeling I found out the hard way. I may be wrong but I think the classic example is trying to enter a surname like O’Grady and finding that the apostrophe comes back with a slashie when you retrieve the data. Something like that. It doesn’t blow up or anything drastic like that. Just make sure you test your php/mysql with entries that include realistic but unusual characters that might get escaped, to be sure that you get back what you put in.
I am a bear of very little brain, don’t take my word for all of this. But hopefully you now have a few key words to look up and that will help a lot.
EDIT: I think I may also have needed stripslashes because I escaped things already before using POST. Whatever. You can look up exactly what all these things do very easily!
Use PHP PDO parametrized queries, and forget about encoding, striping slashes, etc as far as trying to inject sql into the database. PDO parametrized queries handles sanitizing sql injection attacks for you.
[QUOTE=kreut;4845411 For form validation, I’ll be using client side validation via javascript.[/QUOTE]
No. client side validation is not secure. At the least you will want server side validation. You can use both, but if you have to choose one, then use server side.
As for making sure they are entering valid html, use HTML purifier
For users that can only enter text, use strip_tags() to remove any html they try and enter.
