PHP form validation and security and security in general

I have two forms.

For my first form I use htmlspecialchars. This form uses PHP validation it's based off of Ray's wonderful example which just echos the form and uses variables to alter the classes and provide text for the user.

How do I protect against SQL injection? Is there the html special chars equivalent?

I'm beginning to learn html injection and security is a huge unknown variable but my company has some ideas and I am getting a broad picture at a low hourly rate so we can hire people to make our ideas happen. We will use this website along with local businesses if it makes sense cost wise to hire people.

But I'm starting at html injection, sql injection and cross-site scripting. Which is a lot and I just hope if I do 2-3 hours a day I will be able to give my company a broad overview.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
Information Technology Security is a full-time four year college major at the University of Maryland, so you may want to give more than 2-3 hours a day to the issues!

Here's a thumbnail sketch of the most important concepts.  "Filter Input Escape Output."

1. All external data is tainted by definition and must not be trusted until it has been filtered and sanitized.  This means the contents of the HTTP request variables, like $_GET and $_POST, and also the information coming into your program from cookies, from your database, from external APIs, etc.  Do not use information in a SQL query that has not been filtered and sanitized.  Do not store information in your data model that has not been filtered and sanitized.

2. If you use PDO you can get away with some reduced risk of fatal query errors.  If you use MySQLi, you must use the appropriate escape functions (methods) to make the data safe for use in a query string.  This article shows safe ways to do that.

3. Whenever you send output to the browser, you use htmlentities() or htmlspecialchars().  This prevents your output from sending toxic JavaScript to your online community.

4. PHP has its own section on security.

5. If you're storing sensitive information (like the contact lists for Ashley Madison) you would be wise to encrypt it!

6. Join OWASP and become active.  They pursue these topics full time.  Example:

There is lots more, to be sure, but these ideas will get you started thinking about the issues in the right ways.  Best of luck with it!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
burnedfacelessAuthor Commented:
Ray I have one more question

Is it safe to use strip slashes for the message of a contact form?

I just realized this is to prevent mysql queries. We don't have a database currently should I keep it or leave it?
Ray PaseurCommented:
Stripslashes() is a function that should never be needed if you're handling the data correctly.  Let me try to explain.  First, read this article about Magic Quotes.

If you have magic quotes off, you will not get any unwanted slashes in your external data.  If you have magic quotes on, you're probably running on a back-level version of PHP and you have bigger problems -- you need to upgrade PHP and that may mean you need to refactor your scripts.

When you use the escape_string() methods to prepare data for use in a query, the methods will add slashes where they are needed to escape the special characters.  When you send these query strings to the database engine, the engine will remove the escape slashes before storing the data.  When you query the database and recover data via SELECT, you need to use the escape_string() functions again before using the data in an UPDATE or INSERT query.

The only place you need to escape data strings is when you're using them in a query string.  An old function, addslashes(), exists today because it was an artifact of PHP4.  It is never used any more.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

burnedfacelessAuthor Commented:
The magic quotes exist on the actual server it recently came to my attention that messages sent by customers have a backslash. If I'm understanding you correctly these should be kept because it is not a query string.

If I'm incorrect please post a comment I hope I'm not being disrespectful.
burnedfacelessAuthor Commented:
And again this is am amazing overview it makes sense from what little I learned on IRC.


edit: Cross-site scripting is how we were attacked but this overview is amazing
Ray PaseurCommented:
... recently came to my attention that messages sent by customers have a backslash.
My guess is that your server has magic quotes turned on, and this is why the backslashes are showing up.  You can check this by running the following script, shown here in its entirety.  Look into the output and search for "magic."  It should not be there!
<?php phpinfo();

Open in new window

burnedfacelessAuthor Commented:
Updating PHP made that problem go away.

That is insane 2 million articles, huh?

Well I finally got a start but it's like playing an instrument so much I don't know. Gotta get to B, but going to get everything secured.

Thanks for everything.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.