CHAPTER 5 – TECHNIQUES TO MAKE SCRIPTS “SAFE” – Input Validation

There is only one solution to keeping your scripts running safe: Do not trust users. Although this may sound harsh, it's perfectly true. Not only might users "hack" your site, but they also do weird things by accident. It's the program- mer's responsibility to make sure that these inevitable errors can't do serious damage. Thus, you need to deploy some techniques to save the user from insanity.

Input Validation One essential technique to protect your web site from users is input valida- tion, which is an impressive term that doesn't mean much at all. The term simply means that you need to check all input that comes from the user, whether the data comes from cookies, GET, or POST data. First, turn off register_globals in php.ini and set the error_level to the highest possible value (E_ALL | E_STRICT). The register_globals setting stops the registration of request data (Cookie, Session, GET, and POST variables) as glo- bal variables in your script; the high error_level setting will enable notices for uninitialized variables. For different kinds of input, you can use different methods. For instance, if you expect a parameter passed with the HTTP GET method to be an integer, force it to be an integer in your script:

<?php $product_id = (int) $_GET['prod_id']; ?> Everything other than an integer value is converted to 0. But, what if $_GET['prod_id'] doesn't exist? You will receive a notice because we turned the error_level setting up. A better way to validate the input would be <?php if (!isset($_GET['prod_id'])) { die ("Error, product ID was not set"); } $product_id = (int) $_GET['prod_id']; ?> However, if you have a large number of input variables, it can be tedious to write this code for each and every variable separately. Instead, you might want to create and use a function for this, as shown in the following example: <?php function sanitize_vars(&$vars, $signatures, $redir_url = null) { $tmp = array(); /* Walk through the signatures and add them to the temporary * array $tmp */ foreach ($signatures as $name => $sig) { if (!isset($vars[$name]]) && isset($sig['required']) && $sig['required']) { /* redirect if the variable doesn't exist in the array */ if ($redir_url) { header("Location: $redir_url"); } else { echo 'Parameter $name not present and no redirect URL'; } exit(); } /* apply type to variable */ $tmp[$name] = $vars[$name]; if (isset($sig['type'])) { settype($tmp[$name], $sig['type']); } /* apply functions to the variables, you can use the standard PHP * functions, but also use your own for added flexibility. */ if (isset($sig['function'])) { $tmp[$name] = {$sig['function']}($tmp[$name]); } } $vars = $tmp; } $sigs = array( 'prod_id' => array('required' => true, 'type' => 'int'), 'desc' => array('required' => true, 'type' => 'string', 'function' => 'addslashes') ); sanitize_vars(&$_GET, $sigs, "http:// {$_SERVER['SERVER_NAME']}/error.php?cause=vars"); ?>

Post Comment
Login to post comments