By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,661 Members | 779 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,661 IT Pros & Developers. It's quick & easy.

PHP Forms Security

P: 26
what is the best way to secure forms in php?

I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?

Any advice or suggestions related to securing forms is much appreciated :)
Dec 20 '07 #1
Share this Question
Share on Google+
6 Replies


P: 26
Im no expert so you might want to hold out for an expert to reply but I have been doing this for a while.

When I first started I used safeHTML, which seemed to do a good job, was quick at what it done.

I'm writing a script now and im trying to stay away from it simply for the fact that I want to learn myself.

Id suggest writing a function of some sort that would get what the user is submitting, and use regex to look for things that you don't want in your database.

The only real way to know how to secure your website, is knowing how to hack it. Maybe look on Google for some php injection tutorials and see how they work and what they look for, that way you can close the gaps.

I would be interested to see how you get on so keep us updated.

My opinion though, you don't want to be inserting what the user types directly into your database.
Dec 20 '07 #2

nathj
Expert 100+
P: 938
what is the best way to secure forms in php?

I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?

Any advice or suggestions related to securing forms is much appreciated :)
Hi,

I'd start by switching from GET to POST as the form method. Then the only sure fire way to secure the data as it's passed to the server is SSL. At least that's what I use and it works a treat.

Cheers
nathj
Dec 20 '07 #3

P: 26
thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.

looks like i need to write a function though :) hmmm...

i guess it should be something like filtering user data. can anybody post code for this?
Dec 20 '07 #4

Markus
Expert 5K+
P: 6,050
http://www.tizag.com/mysqlTutorial/m...-injection.php

The code wont write itself ;)

good day.
Dec 21 '07 #5

100+
P: 118
The $_GET method is open to XSS (cross site scripting) and SQL injection, also is easily broken because anyone can change the URL.

So if you have to have a string for your variable. if someone types the url as

www.mysite.com/index.php?q=hello - that will work because it is searching for a string

but, if they do

www.mysite.com/index.php?q[] - it will return an error because the GET is expecting a string however it is getting an array thus /breaks/.

So for that, using 'q' as the GET

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. if (isset($_GET['q']) && is_array($_GET['q'])) {
  3. //error message
  4. }
  5. else {
  6. //code to query database.
  7. }
  8. ?>
  9.  
Sam
Dec 21 '07 #6

ak1dnar
Expert 100+
P: 1,584
Mistakenly I removed this post from the thread while removing another spam contents. Sorry about this.

Original poster : nathj
==============================================


thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.

looks like i need to write a function though :) hmmm...

i guess it should be something like filtering user data. can anybody post code for this?


Hi,
If I've understood this correctly you have a login form that takes user sensitive data such as a user name and password and you are submitting this via the GET method? If that is correct you really need to change it. Having such information in the URL query string is a bad idea.

If I've mis-understood, then my apologies.

For such things I use a form that submits data to the the server, via a secure connection and this then calls a function on an object to log the user in and set up the session variables and the user object. This object directly controls the user expereince of my site.

Perhaps some research around these ideas would be time well spent.

Cheers
nathj __________________
Keep on trying and keep on learning
Dec 22 '07 #7

Post your reply

Sign in to post your reply or Sign up for a free account.