Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Creating a function to help secure forms

Posted on 2007-11-25
13
216 Views
Last Modified: 2008-02-01
I have a form and I want to make it more secure by using strip slashes and I was seeing some examples and is there a way to make that a function to attach it to every field instead of writing it on each one?

Does that make sense? In the function will have strip slashes, then call it on the field?

Is there anything else I should include in the function to help the security?
0
Comment
  • 7
  • 6
13 Comments
 
LVL 20

Accepted Solution

by:
steelseth12 earned 500 total points
ID: 20347336
if magic_quotes are enabled, then an escape character(\)  is added to ingle quote (‘), double quote (“), backslash (\) and NUL (\x00) which are all possibly dangerous characters when inserted into mysql.

If  magic_quotes are off then you should use addslashes to escape those characters manually

Below is a function that will check and addslashes if needed
function sanitise_data() {
 
	foreach($_POST as $key=>$value) {
		
		if(!get_magic_quotes_gpc()) {
	
			$_POST[$key] = addslashes($_POST[$key]);
	
		}
	
	}
	
}

Open in new window

0
 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20347358
Thank you! So how would I implement this in to my script?
0
 
LVL 20

Expert Comment

by:steelseth12
ID: 20347373
You just need to call the function sanitise_data(); before the code that process a form.

Further than that you could validate each field manually to see if the result is what you are expecting.
For example  if you are expecting a number you could check that the result of the $_POST["telephone"] for example is numeric.

if(!is_numeric($_POST["telephone"])) {
    print "Error telephone can only contain numbers";

}


0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20347402
So, i have this at my header.php page

<?php
include_once 'config.php';
include 'santise.php';
sanitise_data();
?>

So this will go for any input? And I am going to go through and make it more valid by like you said numerics, etc.

Can you explain that code? Just for I get a better understanding, i get it slightly.

Thanks for all of this!
0
 
LVL 20

Expert Comment

by:steelseth12
ID: 20347438
Now that i look at it again a better way to write it would be as the one below.
Basically it will first check to see it magic_quotes are on. If they are not the it will loop through the $_POST and it will add slashes to every value
function sanitise_data() {
 
 if(!get_magic_quotes_gpc()) {
 
        foreach($_POST as $key=>$value) {
                
        
           $_POST[$key] = addslashes($_POST[$key]);
        
        }
    }     
}

Open in new window

0
 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20347439
I just checked and I do have magic quotes on? Does that code work?
0
 
LVL 20

Expert Comment

by:steelseth12
ID: 20347450
the code first checks if magic quotes are on. If they are on then it does nothing.
0
 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20347460
So i do have it on, so still use that code?

0
 
LVL 20

Expert Comment

by:steelseth12
ID: 20347473
You will use it only for portability reasons. I use it because the applications i develop , can be set up into defferent servers with different configurations.
If you are only going to set up your application once then there is no need for it. If you plan on reselling your application to others then you should keep it in.
0
 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20347499
Alrighty, thank you! So having magic quotes on helps a ton? Security wise?
0
 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20347501
Any other security steps i can take with my form?
0
 
LVL 20

Expert Comment

by:steelseth12
ID: 20347519
If you have magic_quotes on and you validate your input data then you are 99.99% secure from sql injections.
0
 
LVL 1

Author Comment

by:catonthecouchproductions
ID: 20349637
Thanks a ton man!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question