what is the best way to secure forms in php?
I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?
Any advice or suggestions related to securing forms is much appreciated :)
6 1296
Im no expert so you might want to hold out for an expert to reply but I have been doing this for a while.
When I first started I used safeHTML, which seemed to do a good job, was quick at what it done.
I'm writing a script now and im trying to stay away from it simply for the fact that I want to learn myself.
Id suggest writing a function of some sort that would get what the user is submitting, and use regex to look for things that you don't want in your database.
The only real way to know how to secure your website, is knowing how to hack it. Maybe look on Google for some php injection tutorials and see how they work and what they look for, that way you can close the gaps.
I would be interested to see how you get on so keep us updated.
My opinion though, you don't want to be inserting what the user types directly into your database.
nathj 938
Recognized Expert Contributor
what is the best way to secure forms in php?
I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?
Any advice or suggestions related to securing forms is much appreciated :)
Hi,
I'd start by switching from GET to POST as the form method. Then the only sure fire way to secure the data as it's passed to the server is SSL. At least that's what I use and it works a treat.
Cheers
nathj
thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.
looks like i need to write a function though :) hmmm...
i guess it should be something like filtering user data. can anybody post code for this?
Markus 6,050
Recognized Expert Expert
The $_GET method is open to XSS (cross site scripting) and SQL injection, also is easily broken because anyone can change the URL.
So if you have to have a string for your variable. if someone types the url as
www.mysite.com/index.php?q=hel lo - that will work because it is searching for a string
but, if they do
www.mysite.com/index.php?q[] - it will return an error because the GET is expecting a string however it is getting an array thus /breaks/.
So for that, using 'q' as the GET -
<?php
-
if (isset($_GET['q']) && is_array($_GET['q'])) {
-
//error message
-
}
-
else {
-
//code to query database.
-
}
-
?>
-
Sam
ak1dnar 1,584
Recognized Expert Top Contributor
Mistakenly I removed this post from the thread while removing another spam contents. Sorry about this.
Original poster : nathj
=============== =============== =============== = thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.
looks like i need to write a function though :) hmmm...
i guess it should be something like filtering user data. can anybody post code for this?
Hi,
If I've understood this correctly you have a login form that takes user sensitive data such as a user name and password and you are submitting this via the GET method? If that is correct you really need to change it. Having such information in the URL query string is a bad idea.
If I've mis-understood, then my apologies.
For such things I use a form that submits data to the the server, via a secure connection and this then calls a function on an object to log the user in and set up the session variables and the user object. This object directly controls the user expereince of my site.
Perhaps some research around these ideas would be time well spent.
Cheers
nathj _______________ ___ Keep on trying and keep on learning Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms
Authentication set up and it worked just fine. Then I
realized that I needed to have some pages unsecure.
I then created 2 directories. One named Secure and the
other named Public. I placed my web.config file in my
|
by: Nick |
last post by:
I am working a new application...well actually a series of applications for
my company. They want internal users to be able to go to a site and
everything regarding security is transparent, however we will have brokers
and customers that also need to connect and will require a username and
password. In this case we were going to store their credentials in a SQL
database. Internal users will have the ability to access the same resources...
|
by: VB Programmer |
last post by:
PLEASE HELP....
I'm having trouble. In my login form after I've verified the
username/password are valid I do this:
Select Case iMyPrivilege
Case 0
Dim arrRoles() As String = {"guest"}
Context.User = New
System.Security.Principal.GenericPrincipal(User.Identity, arrRoles)
Case 1
|
by: Kris van der Mast |
last post by:
Hi,
I've created a little site for my sports club. In the root folder there are
pages that are viewable by every anonymous user but at a certain subfolder
my administration pages should be protected by forms authentication.
When I create forms authentication at root level it works but when I move my
code up to the subfolder I get this error:
Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
doug@accessmicrosystems.com.
--------------------------------------------------------------------------------
| |
by: James |
last post by:
I have a VB windows forms application that accesses a Microsoft Access
database that has been secured using user-level security. The
application is being deployed using No-Touch deployment. The objective
in utilizing this new deployment method is to reduce the maintenance
overhead as well as making it easier for my users to setup and run the
application initially. I have VS 2002, Windows XP, Access XP(2000
format).
He is my problem....
|
by: gxl034000 |
last post by:
Hi,
I have been trying to use a .net Forms control in my webpage to open up
an application(notepad) on the client. The control works fine when
embedded in a windows form, but I keep getting a security exception
when trying to run it from my webpage on my intranet. I have tried
playing with the Code Access Security settings, but I can't get it to
work.
What do you think?
Thanks,
|
by: =?Utf-8?B?RGF2ZQ==?= |
last post by:
Is this possible? I have 3 forms frmGrandparent, frmParent & frmChild. Can
frmGrandparent do a frmParent.ShowDialog() and then (while frmParent is open)
do a frmChild.ShowDialog(). At the end of the day frmChild should be the
topmost form and the focus should be on it.
--
L. A. Jones
|
by: Bjorn Sagbakken |
last post by:
In a web-application with login creds (user, pwd), these are checked against
a user table on a SQL server. On a positive validation I have saved the
userID, name, custno and role-settings in a userobject (custom build class)
and added this to the session using as session variable like session
For all other pages I have added a small test in the page_load event,
basically testing if the session != null, but also checking if the...
|
by: Rory Becker |
last post by:
Having now created a Custom MembershipProvider that seems to work correctly
with my Logon and ChangePassword controls, I am, as they say, a happy bunny.
The next stange is to move on to the creation of content which adjusts based
on the user.
I have several pages which require a user to be logged on and several which
do not. Prior to this point in time I have used 2 different master pages.
one with a control which checks a session...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
| |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |