• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

Creating a function to help secure forms

I have a form and I want to make it more secure by using strip slashes and I was seeing some examples and is there a way to make that a function to attach it to every field instead of writing it on each one?

Does that make sense? In the function will have strip slashes, then call it on the field?

Is there anything else I should include in the function to help the security?
0
catonthecouchproductions
Asked:
catonthecouchproductions
  • 7
  • 6
1 Solution
 
steelseth12Commented:
if magic_quotes are enabled, then an escape character(\)  is added to ingle quote (‘), double quote (“), backslash (\) and NUL (\x00) which are all possibly dangerous characters when inserted into mysql.

If  magic_quotes are off then you should use addslashes to escape those characters manually

Below is a function that will check and addslashes if needed
function sanitise_data() {
 
	foreach($_POST as $key=>$value) {
		
		if(!get_magic_quotes_gpc()) {
	
			$_POST[$key] = addslashes($_POST[$key]);
	
		}
	
	}
	
}

Open in new window

0
 
catonthecouchproductionsAuthor Commented:
Thank you! So how would I implement this in to my script?
0
 
steelseth12Commented:
You just need to call the function sanitise_data(); before the code that process a form.

Further than that you could validate each field manually to see if the result is what you are expecting.
For example  if you are expecting a number you could check that the result of the $_POST["telephone"] for example is numeric.

if(!is_numeric($_POST["telephone"])) {
    print "Error telephone can only contain numbers";

}


0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
catonthecouchproductionsAuthor Commented:
So, i have this at my header.php page

<?php
include_once 'config.php';
include 'santise.php';
sanitise_data();
?>

So this will go for any input? And I am going to go through and make it more valid by like you said numerics, etc.

Can you explain that code? Just for I get a better understanding, i get it slightly.

Thanks for all of this!
0
 
steelseth12Commented:
Now that i look at it again a better way to write it would be as the one below.
Basically it will first check to see it magic_quotes are on. If they are not the it will loop through the $_POST and it will add slashes to every value
function sanitise_data() {
 
 if(!get_magic_quotes_gpc()) {
 
        foreach($_POST as $key=>$value) {
                
        
           $_POST[$key] = addslashes($_POST[$key]);
        
        }
    }     
}

Open in new window

0
 
catonthecouchproductionsAuthor Commented:
I just checked and I do have magic quotes on? Does that code work?
0
 
steelseth12Commented:
the code first checks if magic quotes are on. If they are on then it does nothing.
0
 
catonthecouchproductionsAuthor Commented:
So i do have it on, so still use that code?

0
 
steelseth12Commented:
You will use it only for portability reasons. I use it because the applications i develop , can be set up into defferent servers with different configurations.
If you are only going to set up your application once then there is no need for it. If you plan on reselling your application to others then you should keep it in.
0
 
catonthecouchproductionsAuthor Commented:
Alrighty, thank you! So having magic quotes on helps a ton? Security wise?
0
 
catonthecouchproductionsAuthor Commented:
Any other security steps i can take with my form?
0
 
steelseth12Commented:
If you have magic_quotes on and you validate your input data then you are 99.99% secure from sql injections.
0
 
catonthecouchproductionsAuthor Commented:
Thanks a ton man!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now