[Tutorial] Handling input safely

Bleed-Obsidian · July 24, 2012, 3:36pm

Hello Everyone,

Here to give you some tips with handling input.

Handling input

Lets start with the form:

<form method='POST' action='php/echo_input.php'>
	<p>Name:<input type="text" name="name"/></p>
    
    <input type='submit' class='buttonlo2' value='Submit' />
</form>

It’s a basic form and won’t look great but you can worry about that.

Take note of 'method=‘POST’ ’ and 'action=‘php/echo_input.php’ ’ this is important for the PHP and change the ‘action’ to where your PHP file is.

The method tells the form to ‘POST’ it to ‘php/echo_input.php’ when the Submit button is pressed.
You can set the method to ‘GET’ but this can be a Security issue when dealing with login forms and things.
‘GET’ posts the value of the form into the URL. So say if I entered ‘Billy’ into the form it would take me to ‘php/echo_input.php?name=Billy’

Ok, Now the php. I called my php file ‘echo_input.php’ but you can call your’s whatever but remember to change ‘action’

First we want to get the form data so lets do:

[php]
//Get form input
$name = $_POST=[‘name’];
[/php]

We set the name as a variable. ‘$_POST’ is what we use to get ‘POST’ data and ‘[‘name’]’ is what the name of the form text box is called.

Ok, now we could just echo the value of ‘$name’
[php]
//echo name
echo $name;
[/php]

But if I typed “Billy” it would display in Bold.
‘’ in HTML makes things bold.
So people could type HTML into the text box witch is a Security risk.

So, How do we stop it? Well by adding:

[php]
//Strip input
$name = htmlentities($name, ENT_QUOTES, “UTF-8”);
[/php]

What this does is converts the html to plain text.
So now it displays how they typed it ‘Billy’

Is that it? No!
There are also things like “Code injection” and “SQL Injection”
These things can be very dangerous but we can stop them just like the html:

[php]
//Strip input
$name = htmlentities($name, ENT_QUOTES, “UTF-8”);

$name = mysql_real_escape_string($name); //You only need this if you are sending input to a database

$name = stripslashes($name);
[/php]

Well there we have it.

[php]

<?php //Get input $name = $_POST['name']; //Strip input $name = htmlentities($name, ENT_QUOTES, "UTF-8"); $name = mysql_real_escape_string($name); //You only need this if you are sending input to a database $name = stripslashes($name); //Echo input echo $name; ?>

[/php]

Thanks

PHKatz · December 20, 2013, 9:22pm

Bleed-Obsidian:

Hello Everyone,

Here to give you some tips with handling input.

Handling input

Lets start with the form:
<form method='POST' action='php/echo_input.php'>
	<p>Name:<input type="text" name="name"/></p>
    
    <input type='submit' class='buttonlo2' value='Submit' />
</form>
It’s a basic form and won’t look great but you can worry about that.

Take note of 'method=‘POST’ ’ and 'action=‘php/echo_input.php’ ’ this is important for the PHP and change the ‘action’ to where your PHP file is.

The method tells the form to ‘POST’ it to ‘php/echo_input.php’ when the Submit button is pressed.
You can set the method to ‘GET’ but this can be a Security issue when dealing with login forms and things.
‘GET’ posts the value of the form into the URL. So say if I entered ‘Billy’ into the form it would take me to ‘php/echo_input.php?name=Billy’

Ok, Now the php. I called my php file ‘echo_input.php’ but you can call your’s whatever but remember to change ‘action’

First we want to get the form data so lets do:

[php]
//Get form input
$name = $_POST=[‘name’];
[/php]

We set the name as a variable. ‘$_POST’ is what we use to get ‘POST’ data and ‘[‘name’]’ is what the name of the form text box is called.

Ok, now we could just echo the value of ‘$name’
[php]
//echo name
echo $name;
[/php]

But if I typed “Billy” it would display in Bold.
‘’ in HTML makes things bold.
So people could type HTML into the text box witch is a Security risk.

So, How do we stop it? Well by adding:

[php]
//Strip input
$name = htmlentities($name, ENT_QUOTES, “UTF-8”);
[/php]

What this does is converts the html to plain text.
So now it displays how they typed it ‘Billy’

Is that it? No!
There are also things like “Code injection” and “SQL Injection”
These things can be very dangerous but we can stop them just like the html:

[php]
//Strip input
$name = htmlentities($name, ENT_QUOTES, “UTF-8”);

$name = mysql_real_escape_string($name); //You only need this if you are sending input to a database

$name = stripslashes($name);
[/php]

Well there we have it.

[php]
<?php //Get input $name = $_POST['name']; //Strip input $name = htmlentities($name, ENT_QUOTES, "UTF-8"); $name = mysql_real_escape_string($name); //You only need this if you are sending input to a database $name = stripslashes($name); //Echo input echo $name; ?>
[/php]

Thanks

Is this correct code?

<?php if(isset($_POST['submit'])) { // Added not to display "please fill out all reqired fields". $name = htmlentities($_POST['name', ENT_QUOTES, "UTF-8"]); $email = htmlentities($_POST['email' , ENT_QUOTES, "UTF-8"]); $website = htmlentities($_POST['website' , ENT_QUOTES, "UTF-8"]); $message = htmlentities($_POST['message' , ENT_QUOTES, "UTF-8"]); $time = time(); @ $fp = fopen('comments.log','a'); if (!$name || !$email|| !$website || !$message ) { echo "Please fill out all required fields";} else { if(strlen($name) > 0 && strlen($message)> 0) { if(filesize('comments.log') >= 0) { $pre ='
'; } } $outputstring = $pre. '

'.$name.'. '.date('F j Y \a\t h:i a',$time).'

'.$message .'

'; @fwrite($fp, $outputstring, strlen($outputstring)); fclose($fp); echo ""; // changed from Header( ) } } ?>

Name:
Email:
Website:
Comments:

Comments:

<?php include "comments.log" ?>

JimL · December 21, 2013, 1:34am

Good post (y)

You should mention parameterized queries, as escaping for sql was made redundant 10 years ago.

Also type-hinting works for all of these.
php $ unescapedNumber;[/php]

PHKatz · December 21, 2013, 5:34am

The code I posted is without MySQL. Is there anything that’s incorrect?

Strider64 · August 20, 2014, 4:42pm

I came across how to sanitize $_SERVER[‘PHP_SELF’], I know I seen others use it in their form portion of the script not realizing just doing that isn’t safe. Put $phpself in instead of that and you should be good to go.

[php] $phpSelf = filter_input(INPUT_SERVER, ‘PHP_SELF’, FILTER_SANITIZE_URL);[/php]

fastsol · August 21, 2014, 8:28pm

I don’t know why people even put anything in the action of the form if it’s just going to post back to the same page anyway. Just avoid the php_self issue altogether and leave the action empty.

PHKatz · August 21, 2014, 9:55pm

Thank you all for the posts. Anymore replies welcomed. Will try it out.

Thanks

Strider64 · August 22, 2014, 12:48am

I agree with you 100 percent, but I even seen highly respected book authors (Larry Ullman comes to the top of my head) that does this. If he’s doing this, he’s passing down to people who read his book. Though it’s a little hard doing that with an anchor tag. Though I am going to see if it does work by leaving it blank, to see if it would work? Hmmm, it got me thinking. Though I highly doubt it for I’m trying to pass an value to the new page. I’ll get back.

Strider64 · August 22, 2014, 1:09am

I’ll be a monkey’s uncle it does work, it looks weird:
[php]$this->displayControls .= ‘Previous’ . PHP_EOL;[/php]

It works though and cleans up the code, I learn something new every day. Just leave it ******* blank! ;D

Though it might mean you can’t do a clean url, but I never seem to get around to do that anyways. I just remember that little trick if I am forced to do that were a client insisting on have clean a urls.