Review Stage

PHP
1

Hi,

I am close to launching a website that i have been working on for some time now and i plan on carrying out a significant review of security .

I understand that one of the biggest areas of concern from a security point of view is how you handle user input (fields / forms etc.)

I don’t expect anyone to reply with tonnes of information on each, as the internet is full of help and advice BUT the one downside of the internet is ‘how up to date’ the information is (don’t want to use / implement out dated practices) or the ‘integrity’ of the advice, especially in relation to this subject’.

So what are your key best practices for each of the following:

1 - Validating Input

2 - Sanitizing Input

Thanks in advance for your help…

2

I’ve just spent a couple of months slapping my head of the desk on this question (being largely self-taught it is my best recourse). Lessons I have learned so far:

HTML5 mark-up greatly simplifies client-side validation without having to tinker heavily with javascript fallbacks. For browsers that do not support HTML5 (I’m shaking my head at you, IE 6-9) there is the shim option (jQuery 1.9.1 with Modernizer and Webshims) which is fairly easy to install and requires no deep knowledge of javascript other than how to include the files via <script> tags in the document head. Hey presto, non-HTML5 browsers such as IE 6-9 support the self-validating email input tag as well as the useful pattern and placeholder properties. I’ve tested this on IE7 and IE8 and it works seamlessly.

I run server-side validation on all input using htmlspecialchars(), strip_tags() and stripslashes() - nested in that order like so:

$name = htmlspecialchars(strip_tags(stripslashes($message['First'])), ENT_COMPAT, 'UTF-8');

For emails, I use something like:

$sanitised = filter_var($email, FILTER_SANITIZE_EMAIL);
$clean = filter_var($sanitised, FILTER_VALIDATE_EMAIL);

For good measure I also use checkdnsrr() on the filtered email address ($clean). Opinion is divided on that last function since it relies on a registry of valid domain names so it is liable to miss out some obscure but nonetheless valid addresses. Then again, email validation is a very hairy area with no absolute solution so opinion tends to be divided on any approach you might consider.

My thoughts are that it’s best left to the brains behind PHP and HTML5 who, I trust, have given the matter all due consideration.