473,326 Members | 2,337 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

PHP Forms Security

what is the best way to secure forms in php?

I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?

Any advice or suggestions related to securing forms is much appreciated :)
Dec 20 '07 #1
6 1279
Im no expert so you might want to hold out for an expert to reply but I have been doing this for a while.

When I first started I used safeHTML, which seemed to do a good job, was quick at what it done.

I'm writing a script now and im trying to stay away from it simply for the fact that I want to learn myself.

Id suggest writing a function of some sort that would get what the user is submitting, and use regex to look for things that you don't want in your database.

The only real way to know how to secure your website, is knowing how to hack it. Maybe look on Google for some php injection tutorials and see how they work and what they look for, that way you can close the gaps.

I would be interested to see how you get on so keep us updated.

My opinion though, you don't want to be inserting what the user types directly into your database.
Dec 20 '07 #2
nathj
938 Expert 512MB
what is the best way to secure forms in php?

I basically have a login system with my script and what worries me most is i directly use $_GET[$var] in mysql queries?

Any advice or suggestions related to securing forms is much appreciated :)
Hi,

I'd start by switching from GET to POST as the form method. Then the only sure fire way to secure the data as it's passed to the server is SSL. At least that's what I use and it works a treat.

Cheers
nathj
Dec 20 '07 #3
thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.

looks like i need to write a function though :) hmmm...

i guess it should be something like filtering user data. can anybody post code for this?
Dec 20 '07 #4
Markus
6,050 Expert 4TB
http://www.tizag.com/mysqlTutorial/m...-injection.php

The code wont write itself ;)

good day.
Dec 21 '07 #5
helraizer1
118 100+
The $_GET method is open to XSS (cross site scripting) and SQL injection, also is easily broken because anyone can change the URL.

So if you have to have a string for your variable. if someone types the url as

www.mysite.com/index.php?q=hello - that will work because it is searching for a string

but, if they do

www.mysite.com/index.php?q[] - it will return an error because the GET is expecting a string however it is getting an array thus /breaks/.

So for that, using 'q' as the GET

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. if (isset($_GET['q']) && is_array($_GET['q'])) {
  3. //error message
  4. }
  5. else {
  6. //code to query database.
  7. }
  8. ?>
  9.  
Sam
Dec 21 '07 #6
ak1dnar
1,584 Expert 1GB
Mistakenly I removed this post from the thread while removing another spam contents. Sorry about this.

Original poster : nathj
==============================================


thanks :) i am using GET only in querying mysql and i use only POST to insert or edit in the database.

looks like i need to write a function though :) hmmm...

i guess it should be something like filtering user data. can anybody post code for this?


Hi,
If I've understood this correctly you have a login form that takes user sensitive data such as a user name and password and you are submitting this via the GET method? If that is correct you really need to change it. Having such information in the URL query string is a bad idea.

If I've mis-understood, then my apologies.

For such things I use a form that submits data to the the server, via a secure connection and this then calls a function on an object to log the user in and set up the session variables and the user object. This object directly controls the user expereince of my site.

Perhaps some research around these ideas would be time well spent.

Cheers
nathj __________________
Keep on trying and keep on learning
Dec 22 '07 #7

Sign in to post your reply or Sign up for a free account.

Similar topics

6
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
3
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent,...
11
by: VB Programmer | last post by:
PLEASE HELP.... I'm having trouble. In my login form after I've verified the username/password are valid I do this: Select Case iMyPrivilege Case 0 Dim arrRoles() As String = {"guest"}...
3
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be...
0
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET...
4
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The...
0
by: gxl034000 | last post by:
Hi, I have been trying to use a .net Forms control in my webpage to open up an application(notepad) on the client. The control works fine when embedded in a windows form, but I keep getting a...
8
by: =?Utf-8?B?RGF2ZQ==?= | last post by:
Is this possible? I have 3 forms frmGrandparent, frmParent & frmChild. Can frmGrandparent do a frmParent.ShowDialog() and then (while frmParent is open) do a frmChild.ShowDialog(). At the end of...
4
by: Bjorn Sagbakken | last post by:
In a web-application with login creds (user, pwd), these are checked against a user table on a SQL server. On a positive validation I have saved the userID, name, custno and role-settings in a...
5
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.