Web Form Security with PHP
May 21, 2009For professional web developers, web security is an item at the top of the list of things to design, develop and test for when it comes to building new web applications and sites. Unfortunately, for entry level developers, home hobbyists and others with limited amounts of experience, web security generally falls at the bottom of the to-do list.
When it comes to web form security, it's unfortunate that this topic is often ignored or misunderstood as most common programming languages already provide the tools right out of the box to secure, encrypt and filter web data. In most cases these tools and techniques are really quite simple to implement.
What we present here are a few methods and thoughts (using PHP) to lock down your web forms, reduce spam and better handle your user's data.
1. Handle input data with zero trust.
One of the biggest vulnerabilities in any web application is putting too much trust into user input data. Whether it's a user's name, email address or textarea, all user input data should be treated with zero trust. This needs repeating: put zero trust into user data. All user data should be treated as suspect until proven innocent. Putting too much trust into user data can open your web application to all kinds of web spam, injection attacks, cross site scripting attacks and other forgeries. Thinking in such terms is the first step towards building more secure web sites and applications.
2. Do not rely on client-side Javascript form validation.
Client-side Javascript form validation provides almost no security at all. With the popularity of Firefox and extensions like NoScript and AdBlock, relying on Javascript for form validation makes even less sense these days. Keep your form validation to server side processing and utilize Javascript form validation techniques simply as user interface aids. Keeping Javascript as unobtrusive as possible is also a common goal of most serious developers.
3. Avoid cross site scripting attacks by escaping data.
For cross site scripting attacks to work, attackers need to take advantage of forms which embed unescaped HTML/Javascript right back into the page. For instance, you might have a form which takes the user's inputted email address and displays the address on the resulting form submission page. Without properly escaping the input data, all kinds of nasty things can be embedded right into the submission page.
Avoiding cross site scripting attacks can be handled through PHP's htmlentities or htmlspecialchars functions. Using the ENT_QUOTES parameter ensures that both single and double quotes are escaped along with all HTML entities.
$cleanText = htmlentities( $_POST['user_email'], ENT_QUOTES, 'your-charset-here' );
3. Filter all input.
Filtering input goes along with escaping input. Utilizing a rule based system, you can easily verify your input data meets certain criteria before being further handled. For instance, if you are expecting a valid email address to be given or that a textarea entry may only contain 3 URLs before being flagged as spam, utilize input filtering.
// Will return the number of valid emails matched or 0 for an invalid match.
$validEmailCount = preg_match( '/^([.0-9a-z_-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,4})$/i', $_POST['user_email'] );
4. Reduce automated spam by using hidden form fields.
No, we are not talking about HTML hidden input fields but rather simply text input fields which are hidden from the user via CSS. Since these input fields are hidden from human eyes, your form processing should detect whether or not these hidden fields contain any data. If they do contain data, you can be assured that the form was sent via an automated spam bot and handle the form submission appropriately. In our example below, we are utlizing an address input form item (hidden from the user in our view page) as the "catch" field.
if( isset( $_POST['address_2'] ) && strlen( $_POST['address_2'] ) > 0 ) {// Gracefully handle the bot submitted form.
}
5. Avoid GET requests that manipulate or include sensitive data.
While it may seem somewhat trivial, a surprising amount of large scale web sites have been exploited simply by manipulating values being passed via URL parameter strings. In the early days of Hotmail, it was as simple as pasting a user's username into the appropriate parameter string value to login to an exploited user's account (provided he or she had still kept their session open by not logging out.)
Whenever you utilize GET requests (whether through forms, URL strings, etc), thoroughly analyze each request and the resulting state of your site/data after handling GET request values. Avoid passing sensitive information such as account number information and avoid passing parameters which manipulate data. In other words, when utilizing GET requests, do so only for data retrieval.
Finally
Of course, the techniques and examples we have shown here are just a few basics on form security. They were written to help readers get started with thinking in terms of security when designing and developing sites and applications. However, it does not stop here. Exploits, vulnerabilities and new attack methods are constantly being discovered and education on web security has become a constant affair for professional web developers. Check out the following sites for further reading:
Further Reading -
Top 7 PHP Security Blunders
Yahoo Developer Network - Security Best Practices
OWASP Development Guide
Security Fix
