Basic & essential security tips when handling forms in PHP

Hello,

I am writing this post as I recently had a security hole in one of my scripts, which, fortunately, nothing bad happened. There are basic things you must always add to your PHP code when handling forms. I will tell you some very essentials that can’t be ignored to avoid SQL Injection attacks.

  • When passing forms that contain passwords or secure info, always make sure you use the $_POST instead of the $_GET array for passing the form to PHP.
  • After you’ve passed the info to PHP, don’t submit it directly to the DB. Always use mysql_real_escape_string() to prevent SQL injections. The function’s main function (sounds kind of weird..) is to escape certain characters to make it secure to go over a mysql_query().

An example of exploit: You got a User & Pass form. And after you submit the info it is received by the PHP script this way:

if(isset($_POST[‘submit’])) { //If submit button’s been pressed

$user = $row[‘username’]; //Friendlier to handle
$pass = $row[‘password’]; //Friendlier to handle

mysql_query(“SELECT * FROM users WHERE password=’$pass‘ AND username=’$user‘”); //Query

//Something else

}

What would happen if somebody inserts in the form, as username, the following: User: ‘ OR 1’. Writing OR 1, will always output true, so all the rows in the table users are going to be selected.

The correct form:

if(isset($_POST[‘submit’])) { //If submit button’s been pressed

//Adding the mysql_real_escape_string() to escape string

$user = mysql_real_escape_string($row[‘username’]);
$pass = mysql_real_escape_string($row[‘password’]);

mysql_query(“SELECT * FROM users WHERE password=’$pass‘ AND username=’$user); //Query

//Something else

}

  • I recommend developing with full error reporting. This is can be enabled by adding: error_reporting(E_ALL); at the top of your script. By adding this, you’ll see a notice when you try to call a variable that has not been previously defined. You might wonder what can happen if there’s a variable not declared before.. Well, simple, somebody can go to your website and do something like yourscript.php?variable=http://mywebsite.com/scripttohackyou.php.

Well that was pretty much everything that came up to my mind right now =), if I remember something or find out something, I’ll add it to the list. I hope this helps somebody out there, because it took me forever to color the code =P.

Any comment, suggestion, or question, please post it here. Or if you think I am missing something, please tell me, so I can add it.

Best Regards,

Richi

Looking for quality Clip-Bucket hosting? Try out Arvixe and you won’t be disappointed.
Tags: , , , , , , , , , , , , | Posted under Security/Vulnerability | RSS 2.0

Author Spotlight

Richi González

I started programming when I was 12. I'm a Developer and have been working with the Clip-Bucket script since it came out. I'm the Liaison between Arvixe and Clip-Bucket, so anything you need regarding Clip-Bucket or any particular computer-related subject you need, let me know so I can assist you.

2 Comments on Basic & essential security tips when handling forms in PHP

  1. Guillem says:

    I completely agree. I would add that for big projects using an ORM like Doctrine or some PEAR modules like DB_DataObject is a must. They are going to give you most of this security by default.

    Regards, Guillem.

  2. Hello,

    Yes you’re right. This is like basic security you must have like by default in almost any script that handles forms or data.

    Regards,
    Richi

Leave a Reply

Your email address will not be published. Required fields are marked *