Secure forms

  • typhon
  • Guru
  • Guru
  • User avatar
  • Posts: 1294
  • Loc: Memphis, Tn

Post 3+ Months Ago

I have googled and have searched here and have looked on the php and sql sites. But Icant seem to get my head around any of the disscussions concerning securing a web form from code injection and email validation/verification. I found one article a wekk or so ago that got into the use of regular expressions to validate that it is in the proper format for an email, then if it passed that it checked the domain to see if there was a mailserver at that domain (or something along those lines) to make sure that it was feesably (sp?) a valid email. And then there is the dissableing html which I think is the other half of the securing (with the email being the first half) any pointers sites/articles help :D
  • Inito
  • Graduate
  • Graduate
  • User avatar
  • Posts: 223

Post 3+ Months Ago

I'm not sure you really need to check whether the domain really has a mailserver. A regular expression to check the format will do the trick.

As to clearing fields, this is my function that handles it:

PHP Code: [ Select ]
 
function cleanInput($input, $mode, $isUserInput=1)
{
 
   if( $isUserInput == 1 )
   {
     
      if( is_array($input) )
      {
         foreach ($input as $key => &$value)
         {
            $value = trim($value);
 
            if( get_magic_quotes_gpc() == 1 )
            $value = stripslashes($value);
         }
      } else {
         $input = trim($input);
 
         if( get_magic_quotes_gpc() == 1 )
         $input = stripslashes($input);
      }
 
   }
 
   switch ($mode)
   {
      case 'strip':
      $input = strip_tags($input);
      break;
 
      case 'ensafe':
      $input = htmlentities($input);
      break;
 
      case 'password':
      $input = checkPasswords($input);
      break;
 
      case 'numeric':
      $input = is_numeric($input) ? $input : false;
      break;
 
      case 'email':
      $input = strtolower($input);
      $input = ereg("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@([a-zA-Z0-9-]+\.)+([a-zA-Z]{2,4})$", $input) ? $input : false;
      break;
 
      case 'sql':
      $input = mysql_real_escape_string($input);
      break;
   }
 
   return $input;
 
}
 
  1.  
  2. function cleanInput($input, $mode, $isUserInput=1)
  3. {
  4.  
  5.    if( $isUserInput == 1 )
  6.    {
  7.      
  8.       if( is_array($input) )
  9.       {
  10.          foreach ($input as $key => &$value)
  11.          {
  12.             $value = trim($value);
  13.  
  14.             if( get_magic_quotes_gpc() == 1 )
  15.             $value = stripslashes($value);
  16.          }
  17.       } else {
  18.          $input = trim($input);
  19.  
  20.          if( get_magic_quotes_gpc() == 1 )
  21.          $input = stripslashes($input);
  22.       }
  23.  
  24.    }
  25.  
  26.    switch ($mode)
  27.    {
  28.       case 'strip':
  29.       $input = strip_tags($input);
  30.       break;
  31.  
  32.       case 'ensafe':
  33.       $input = htmlentities($input);
  34.       break;
  35.  
  36.       case 'password':
  37.       $input = checkPasswords($input);
  38.       break;
  39.  
  40.       case 'numeric':
  41.       $input = is_numeric($input) ? $input : false;
  42.       break;
  43.  
  44.       case 'email':
  45.       $input = strtolower($input);
  46.       $input = ereg("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@([a-zA-Z0-9-]+\.)+([a-zA-Z]{2,4})$", $input) ? $input : false;
  47.       break;
  48.  
  49.       case 'sql':
  50.       $input = mysql_real_escape_string($input);
  51.       break;
  52.    }
  53.  
  54.    return $input;
  55.  
  56. }
  57.  


It contains about everything you need.

Note that when I supply a password I pass 2 entries as an array (password and confirm password fields) which will be checked.

checkPasswords:
PHP Code: [ Select ]
function checkPasswords($passwords)
{
   
   if( $passwords[0] != $passwords[1] )
   $errors[] = "Passwords must be equal";
 
   if( strlen($passwords[0]) < 6 || strlen($passwords[1]) < 6 )
   $errors[] = "Password must be at least 6 characters long";
 
   $pass1_spacecheck = str_replace(" ", "", $passwords[0]);
   $pass2_spacecheck = str_replace(" ", "", $passwords[1]);
 
   if( $passwords[0] != $pass1_spacecheck || $passwords[1] != $pass2_spacecheck )
   $errors[] = "Password may not contain spaces";
 
   if( sizeof($errors) )
   {
      return $errors;
   } else {
      return sha1($passwords[0]);
   }
 
 
}
 
  1. function checkPasswords($passwords)
  2. {
  3.    
  4.    if( $passwords[0] != $passwords[1] )
  5.    $errors[] = "Passwords must be equal";
  6.  
  7.    if( strlen($passwords[0]) < 6 || strlen($passwords[1]) < 6 )
  8.    $errors[] = "Password must be at least 6 characters long";
  9.  
  10.    $pass1_spacecheck = str_replace(" ", "", $passwords[0]);
  11.    $pass2_spacecheck = str_replace(" ", "", $passwords[1]);
  12.  
  13.    if( $passwords[0] != $pass1_spacecheck || $passwords[1] != $pass2_spacecheck )
  14.    $errors[] = "Password may not contain spaces";
  15.  
  16.    if( sizeof($errors) )
  17.    {
  18.       return $errors;
  19.    } else {
  20.       return sha1($passwords[0]);
  21.    }
  22.  
  23.  
  24. }
  25.  


The environment that uses these functions and handles the returned values is quite complex, so I will refrain myself from posting these, unless you are also interested in these (they are a great reusable toolkit I invented).
  • typhon
  • Guru
  • Guru
  • User avatar
  • Posts: 1294
  • Loc: Memphis, Tn

Post 3+ Months Ago

Inito wrote:
I'm not sure you really need to check whether the domain really has a mailserver. A regular expression to check the format will do the trick.


The reason I am wanting to make sure of the existence of the mail server is that in theory it should reduce any spoofed email addresses. With just checking for the format you can get anyone@anywhere.com and it passes even though its bunk. And yes I know that someone could put in a spoofed valid email but it should reduce some of the bogus emails. It isnt necessary but it shouldnt be that much of a big deal. If I remember right-ish the code that did it was only 3 or 4 lines I believe. but I cant find the friggen article again. bleh
  • Vincent
  • Expert
  • Expert
  • User avatar
  • Posts: 721
  • Loc: Brisbane, Australia

Post 3+ Months Ago

http://www.devshed.com/c/a/PHP/Email-Address-Verification-with-PHP/

This is the best example i've seen, plus it can be made into pdf
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

I find MX lookups etc pretty annoying. The way I deal with stopping people from giving false addresses is to send information that they require to complete registration to the email address they provided.

Nice clean and simple

As for securing the form. HTTPS? This won't protect you from sql injections as these are caused by lazy coding. Just remember to escape all data posted back from the form
  • lioness
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1615

Post 3+ Months Ago

Rabid Dog wrote:
I find MX lookups etc pretty annoying. The way I deal with stopping people from giving false addresses is to send information that they require to complete registration the the email address they provided.

Nice clean and simple

As for securing the form. HTTPS? This won't protect you from sql injections as these are caused by lazy coding. Just remember to escape all data posted back from the form


I agree with Rabid - MX lookups can be irritating. Like he said, have the user for example click a link in their email to complete registration - I'm sure you've seen this on other sites.
  • Inito
  • Graduate
  • Graduate
  • User avatar
  • Posts: 223

Post 3+ Months Ago

An MX lookup is easy to get around. Enter nonexistent@yahoo.com and it will result in true. Therefore, indeed, e-mail activation is a must.
I presumed you were solely talking about XSS by mentioning 'secure' forms, hence my first reply.
  • typhon
  • Guru
  • Guru
  • User avatar
  • Posts: 1294
  • Loc: Memphis, Tn

Post 3+ Months Ago

Actually this is just a contact form, no registration. I was just trying to avoid collecting bogus email addys. Thanks for the info though.

Quote:
As for securing the form. HTTPS? This won't protect you from sql injections as these are caused by lazy coding. Just remember to escape all data posted back from the form


Im not sure Im doing that. And thats what im most concerned about, could you give a little more detail?

Heres the contact form which actually isnt even using the database, however since it is processed through the index file via the use of ' ?target=contact '

And on the index file there is an inclusion of a configuration that has the database connection in it. Would this even make it feesable for SQL injection in the contact form?

edit: I acidentally had the wrong code, this is the actual code. still no responses :(
Code: [ Select ]
<div align="center">
<form action = "index.php?target=sendmail" method="post">
<table>
<tr><td align="right">* First Name:</td><td align="right"><input type="text" name="first"></td></tr>
<tr><td align="right">* Last Name:</td><td align="right"><input type="text" name="last"></td></tr>
<tr><td align="right">* Email:</td><td align="right"><input type="text" name="email"></td></tr>
<tr><td colspan="2"><br>* Concerning:<br>
<ul class="form">
<li><input type="radio" name="subject" value="picnics">Picnics</li>
<li><input type="radio" name="subject" value="bday">Birthday Parties</li>
<li><input type="radio" name="subject" value="groups">Group Rates</li>
<li><input type="radio" name="subject" value="general">General Info</li>
<br><br>
</td></tr>
<tr><td colspan="2">Comment:<br>
<textarea rows="10" cols="30" name ="comment"></textarea><br><br>
<input type="submit" value="Contact Us"> <input type="reset"value="Reset">
</form>
</td></tr></table>
</div>
  1. <div align="center">
  2. <form action = "index.php?target=sendmail" method="post">
  3. <table>
  4. <tr><td align="right">* First Name:</td><td align="right"><input type="text" name="first"></td></tr>
  5. <tr><td align="right">* Last Name:</td><td align="right"><input type="text" name="last"></td></tr>
  6. <tr><td align="right">* Email:</td><td align="right"><input type="text" name="email"></td></tr>
  7. <tr><td colspan="2"><br>* Concerning:<br>
  8. <ul class="form">
  9. <li><input type="radio" name="subject" value="picnics">Picnics</li>
  10. <li><input type="radio" name="subject" value="bday">Birthday Parties</li>
  11. <li><input type="radio" name="subject" value="groups">Group Rates</li>
  12. <li><input type="radio" name="subject" value="general">General Info</li>
  13. <br><br>
  14. </td></tr>
  15. <tr><td colspan="2">Comment:<br>
  16. <textarea rows="10" cols="30" name ="comment"></textarea><br><br>
  17. <input type="submit" value="Contact Us"> <input type="reset"value="Reset">
  18. </form>
  19. </td></tr></table>
  20. </div>



On my admin panel the code used to edit the content and update the database is this. Is it properly escaped?

Code: [ Select ]
<?php
include('config.php');
$ref = $_POST['ref_id'];
$name = $_POST['name'];
$title = $_POST['title'];
$type = $_POST['type'];
$style= $_POST['style'];
$content = $_POST['content'];
$created = $_POST['created'];
$modified = $_POST['modified'];
$current = date("Y-m-d");
if ($modified != $current) {
// echo "Today is different from the last time this file was modified ";
// echo $modified;
// echo "<br><br>";
$modified = $current;
// echo "The new modified date is --> " . $modified;
}
?>
<br><br>
<?php
// echo "! $addr !";
// echo "! $text !";
// echo "! $active ! ";
// echo "! $image !";
mysql_select_db($db) or die( "Unable to select database");
//$query = "INSERT INTO `links` ( `addr` , `text` , `image` , `active` , `ref_id` )
//VALUES ('$addr', '$text', '$image', '$active', '');";
$query = "UPDATE `content` SET `name` ='$name', `title` ='$title', `type` ='$type', `style` ='$style' , `content` = '$content', `modified` ='$modified' where `ref_id`='$ref';";
//@mysql_select_db($db) or die( "Unable to select database");
mysql_query($query);
echo "Success! Record Updated<br>";
// echo $query;
?>
  1. <?php
  2. include('config.php');
  3. $ref = $_POST['ref_id'];
  4. $name = $_POST['name'];
  5. $title = $_POST['title'];
  6. $type = $_POST['type'];
  7. $style= $_POST['style'];
  8. $content = $_POST['content'];
  9. $created = $_POST['created'];
  10. $modified = $_POST['modified'];
  11. $current = date("Y-m-d");
  12. if ($modified != $current) {
  13. // echo "Today is different from the last time this file was modified ";
  14. // echo $modified;
  15. // echo "<br><br>";
  16. $modified = $current;
  17. // echo "The new modified date is --> " . $modified;
  18. }
  19. ?>
  20. <br><br>
  21. <?php
  22. // echo "! $addr !";
  23. // echo "! $text !";
  24. // echo "! $active ! ";
  25. // echo "! $image !";
  26. mysql_select_db($db) or die( "Unable to select database");
  27. //$query = "INSERT INTO `links` ( `addr` , `text` , `image` , `active` , `ref_id` )
  28. //VALUES ('$addr', '$text', '$image', '$active', '');";
  29. $query = "UPDATE `content` SET `name` ='$name', `title` ='$title', `type` ='$type', `style` ='$style' , `content` = '$content', `modified` ='$modified' where `ref_id`='$ref';";
  30. //@mysql_select_db($db) or die( "Unable to select database");
  31. mysql_query($query);
  32. echo "Success! Record Updated<br>";
  33. // echo $query;
  34. ?>


And if its not it wasnt due to laziness, just ignorance. So please be gentle :twisted:
  • typhon
  • Guru
  • Guru
  • User avatar
  • Posts: 1294
  • Loc: Memphis, Tn

Post 3+ Months Ago

Ok the contact form is about to start using the databse Ihave had it in pure email form for testing purposes and am about to have the database updated via this form. Could someone let me know how secure this will be when it does start eadding to the database the code will be similar to the previously posted code that updated/inserted data. The only real difference will be the table name and row names. Other than that the same php/sql INSERT will be used and I was just wondering if it was escaped or not. Input is greatly appreciated

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 2 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.