[thelist] Form Security

Jack Timmons codeacula at codeacula.com
Tue Jul 20 09:49:54 CDT 2010 

On Tue, Jul 20, 2010 at 9:35 AM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:
> That was an excellent explanation. Thanks a lot. I get your point. However what it is in the final result is a safe input that I can understand and that you haxed my script :)

Glad to have helped!

> The issue is that I am not a Hacker nor I am a geek in PHP. I am almost a recent graduate and practicing PHP.

That's just fine. That's why we went over it step-by-step.

> I really don't know what a hacker can do. A hacker might be able to get some script from internet and pass by say htmlentities. Then the other ones will do that. I mean will protect the site.
> I know for a really good hacker that does not mean much :) however I believe making it harder for script kiddies well worth it. What do you think?

There's giving your children a vitamin to keep them healthy, and then
there's locking them in a plastic bubble and not allowing them out
until they finally escape in a series of (kinda) hilarious events.

<s>We are developers</s> (wait, wrong list.) We are web people, and
our job is to make it easy for everyone to navigate our page. But,
it's also our job to leave data in a recognizable format so when mean,
grumpy database freaks like me come in, you don't have to suffer the
brow beating associated with annoying someone as sexy as I with your
overly sanitized data. (All of that but the sexy part is the joke.)

If you're worried about HTML, then you need to specifically look for
the HTML tags you're worried about, if you think htmlentities isn't
enough to prevent people from hacking your site.

I'm willing to lay a bet, though, that simply escaping the data (thus
keeping it in its purest form, which is what us information freaks
love) and escaping it correctly only when it's being output (there are
other situations, see below) is going to be just perfect for you.

(The See Below Part)

Honestly, you shouldn't be concerning yourself with cleaning your data
beyond what is required to store it in the database, unless it's
deemed you just don't want to bother storing things in there. The are
housekeeping routines you can make to get rid of outliers. As a
business, I try to make sure we place as little restriction on what's
being given, because if the customer wishes to put their first name as
"<script>Bob</script>" that is just fine, because it doesn't get put
into our system until that credit card says we're getting the money.

Now, the main purpose of the other situation is when you're passing
data onto other sections/API's. Should you bother cleaning it? Unless
that API specifically says you need to (and I'd laugh at them if they
did), then you shouldn't, because that API is going to know best how
to sanitize incoming data, just like you're doing, and store it. So,
that's the rare exception.

-- 
Jack Timmons
@_Codeacula

More information about the thelist mailing list